Re: Freeradius & vpn issue
Guillermo Bayon del Oso wrote: > I'm a non native speaker, so please accept my apologies if I'm not > totally clear with my language. It's an issue with a net equipment that > implements VPN connections and an the authentication server (implemented > with Freeradius). Your language is fine. > We work with several software providers who connect with our Intranet > through the VPN, in order to make their web applications maintenance > tasks. The clients are connected without problems for a long period of > time during the night. But eventually the Freeradius (or vpn appliance, > we don't know for certain) suddently disconnect the clients from the VPN > during the next day in the morning (when our partners are working). > Actually several times (maybe 6 times). If the user gets connected for a time, and THEN disconnected: blame the NAS (or VPN appliance). The explanation is simple: the user is allowed on the network after talking to FreeRADIUS. Then, without talking to FreeRADIUS, the user is disconnected. It can't be a FreeRADIUS issue. > The error we've seen in the log (we've used radmin and raddebug tools) is: > > "Acct-Terminate-Cause = 0" > > But in the Radius Accounting RFC > (http://freeradius.org/rfc/rfc2866.html) this value is not permitted > (possible values are 1-18). Ah, yes. The VPN software is broken. This is fairly common. FreeRADIUS follows the RFCs. NAS / VPN software... not so much. > , , and aren't real values > (they're masked for privacy) although I think the error isn't related to > them. > Thank you very much in advance!! Call up the vendor of the VPN appliance, and ask them why their product doesn't work. If they argue, point out that I'm the author / co-author of many RADIUS RFCs, include 5080, 6158, and others. They can believe their internal engineers who know nothing about RADIUS. Or, they can believe someone who wrote the specifications describing the protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius & vpn issue
Hello! Could someone please kindly help me with a Freeradius & VPN issue? Any help would be very appreciated! I'm a non native speaker, so please accept my apologies if I'm not totally clear with my language. It's an issue with a net equipment that implements VPN connections and an the authentication server (implemented with Freeradius). We work with several software providers who connect with our Intranet through the VPN, in order to make their web applications maintenance tasks. The clients are connected without problems for a long period of time during the night. But eventually the Freeradius (or vpn appliance, we don't know for certain) suddently disconnect the clients from the VPN during the next day in the morning (when our partners are working). Actually several times (maybe 6 times). They should login again (via automated pppd script and a watchdog). This watchdog also tries to keep open the VPN and if it's not open, it tries to reconnect the VPN again (like a heartbeat). The error we've seen in the log (we've used radmin and raddebug tools) is: "Acct-Terminate-Cause = 0" But in the Radius Accounting RFC (http://freeradius.org/rfc/rfc2866.html) this value is not permitted (possible values are 1-18). This is a piece of log, where you can see when a client disconnect from the vpn: Mon Jan 16 09:19:54 2012 Acct-Session-Id = "" Tunnel-Server-Endpoint:0 = "" Tunnel-Client-Endpoint:0 = "" Tunnel-Assignment-Id:0 = "PPTP" Framed-Protocol = PPP Framed-IP-Address = User-Name = "" Acct-Authentic = RADIUS Acct-Terminate-Cause = 0 Acct-Session-Time = 125159 Acct-Input-Octets = 1312452 Acct-Output-Octets = 2391455 Acct-Input-Packets = 19372 Acct-Output-Packets = 25170 Acct-Status-Type = Stop NAS-Port-Type = Virtual NAS-Port = 323 Service-Type = Framed-User NAS-IP-Address = Acct-Delay-Time = 0 Huntgroup-Name = "PPTP" Acct-Unique-Session-Id = "" Stripped-User-Name = "" Realm = "NULL" Timestamp = 1326701994 Request-Authenticator = Verified , , and aren't real values (they're masked for privacy) although I think the error isn't related to them. Thank you very much in advance!! Guillermo. --- Guillermo Bayon del Oso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Alan DeKok wrote: > Ignorance is understandable. You have *never* seen be get annoyed at It's getting late here. I need to go home and rest. What I meant to say was you've never seen me get annoyed at people for being ignorant. There are tons of things I don't know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > I've just purged FR, reinstalled, issued new certs, and I'm getting the > same error while trying to authenticate from Linux. > > Now I'll post the whole debug: Follow the EAP howto on my web page: http://deployingradius.com I don't know what's wrong with your setup. There are a lot of moving parts in EAP authentication, and it's easy for something to go wrong. Following my Howto will either (a) work, or (b) tell you exactly what is going wrong. Posting the debug output with the *same* message is not helping. Also, the fact that the NAS retransmits the Access-Request is a problem. No, it's not a RADIUS problem. It's likely a problem with the NAS. Go look at *it's* logs to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
John Dennis wrote: > I have an alternate explanation. People construct convoluted systems > because they lack a clear mental model of what is going on. Without an > overarching understanding they either flail about or they take what they > presume is the shortest path to a solution (e.g. LDAP can authenticate, > I'll just use that). They lack a clear process. The *correct* process is documented in the radiusd "man" page, the wiki, and elsewhere. The EAP "howto" on my web page walks through this process in excruciating detail. Ignorance is understandable. You have *never* seen be get annoyed at someone for being ignorant. You *have* seen me get annoyed at people who refuse to learn. > What is really missing is a simple document which ties all the pieces > together so a newbie can form a mental model and design a uncomplicated > efficient system. (Yes, I know, an old topic) Yup. > I'm willing to bet most of the old hands on this list were also > befuddled early on and the clarity was only arrived at by diligently > peeling back the layers and learning each piece of the puzzle. For me, "diligent" == "having a good method". Method is *more* important than memorizing information. Why would you do that? You can get information about anything via "google". > That's > not something a sys admin can do when he/she is given a week to deploy a > RADIUS solution especially if they haven't had extensive formal training > with networking, system services and authentication. Yup. If I know nothing about car maintenance, I expect my mechanic to get annoyed when I try to do it myself, ask him questions, *and* make it clear I haven't read the manual. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
David Mitton wrote: > Aww, come on guys. Are such abusive speculations necessary? I've formed my opinions after reading the posts on this list. They generally fall into two categories. The first gives useful information, follows instructions, and gets the problem solved. The second doesn't do any of that. It's really that simple. I've been saying it for ~8 years, and haven't seen any reason to change. Look at the posts from the OP. The debug log shows what the errors are. The "help" on this list is largely just pointing out the messages from the debug log. The real abuse is from people who engage in name-calling, insults, curses, etc. Those people now get unsubscribed. Being factual? That may be hard to take for sensitive people. It's not abusive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
On Tue, Jan 17, 2012 at 9:07 PM, Alberto Martínez wrote: > Of course not. So you're NOT using the same certificate? > Give me some credit. BUT, in case I did, the debug would show > an ugly TLS error instead of an error referencing a whole other issue. Actually, it'd be much easier to use the same certificates. The non-working one might be missing xpextension. Just something else to check. If you've used the same certificate, identical (or similar-enough) FR configs, one success and the other doesn't, then it's 100% not certificate issue. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult! Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above. Never ascribe to malice what can be attributed to ignorance. I have an alternate explanation. People construct convoluted systems because they lack a clear mental model of what is going on. Without an overarching understanding they either flail about or they take what they presume is the shortest path to a solution (e.g. LDAP can authenticate, I'll just use that). What is really missing is a simple document which ties all the pieces together so a newbie can form a mental model and design a uncomplicated efficient system. (Yes, I know, an old topic) I'm willing to bet most of the old hands on this list were also befuddled early on and the clarity was only arrived at by diligently peeling back the layers and learning each piece of the puzzle. That's not something a sys admin can do when he/she is given a week to deploy a RADIUS solution especially if they haven't had extensive formal training with networking, system services and authentication. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Quoting Alan DeKok : Phil Mayers wrote: On 17/01/12 14:04, Alan DeKok wrote: I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult! Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above. Alan DeKok. Aww, come on guys. Are such abusive speculations necessary? Never ascribe to malice that which is adequately explained by incompetence see http://en.wikipedia.org/wiki/Hanlon's_razor Though I'm more of a Heinlein fan myself. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Phil Mayers wrote:
> On 17/01/12 14:04, Alan DeKok wrote:
> IIRC that's a special value that OpenLDAP uses; "{SASL}username" tells
> OpenLDAP to use the SASL library, with the username after the } and the
> password given in the bind request.
Sure. But then LDAP should go do that lookup!
> So, he's using LDAP as an oracle to talk to an oracle. Maybe there's
> another oracle in there somewhere...
Probably. As he said, it's FreeRADIUS -> LDAP -> SASL
But... the debug log shows FreeRADIUS -> LDAP. So the LDAP-SASL link
is broken.
Is that a RADIUS problem?
Nope.
> I guess he needs to set "Auth-Type"... I don't know why people construct
> these Heath Robinson systems that make their lives difficult!
Because they believe complicated systems are better. Because they
can't follow instructions. Because they think they know better than
people who've been doing it for 10+ years. Maybe all/some of the above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
On 17/01/12 13:39, vijay t wrote:
[ldap] Added User-Password = {SASL}suresht in check items
This is all wrong.
{SASL}user is only meaningful to the LDAP server. You'll just confuse
FreeRADIUS with this; it won't work.
You need to understand what you're trying to accomplish:
1. PAP request comes into FreeRADIUS
2. FreeRADIUS performs LDAP search to find LDAP user DN
3. FreeRADIUS makes LDAP BIND with LDAP user DN & PAP password
Instead, you have FreeRADIUS doing this:
1. PAP request comes into FreeRADIUS
2. FreeRADIUS performs LDAP search to find LDAP user DN and "plaintext
password"
3. FreeRADIUS tries to perform authentication locally using the
"plaintext" password (actually {SASL}username)
I'm not sure how you can accomplish what you want. You probably need to
"hide" userPassword from FreeRADIUS, so that it can't see it.
Basically, you're doing something weird. You're going to have to try and
figure this out yourself, to a large extent.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > Of course not. Give me some credit. BUT, in case I did, the debug would > show an ugly TLS error instead of an error referencing a whole other issue. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
On 17/01/12 14:04, Alan DeKok wrote:
vijay t wrote:
Please note am "using SASL on my LDAP"... If i create a user in ldap (eg
101821 ) server itself i am able to authenticate the user( Please see
the debug output "1") . Am facing problem only for those users whom am
using SASL mechanism for userPassword (Please see the debug output "2" )
And again, the debug output tells you what is going wrong. Read it.
{SASL}... is NOT the users clear-text password.
IIRC that's a special value that OpenLDAP uses; "{SASL}username" tells
OpenLDAP to use the SASL library, with the username after the } and the
password given in the bind request.
So, he's using LDAP as an oracle to talk to an oracle. Maybe there's
another oracle in there somewhere...
I guess he needs to set "Auth-Type"... I don't know why people construct
these Heath Robinson systems that make their lives difficult!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Of course not. Give me some credit. BUT, in case I did, the debug would show an ugly TLS error instead of an error referencing a whole other issue. Thanks for your replies anyway. 2012/1/17 Fajar A. Nugraha > On Tue, Jan 17, 2012 at 7:18 PM, Alberto Martínez > wrote: > >> The problem is ALWAYS the same. The Wiki page describes the problems, > >> and the solutions. > > > > > > That particular error is known to pop out when a Windows client uses a > > misconfigured certificate, or the MTU is too high. This case is neither > one > > nor the other. > > So just to confirm, you're using the SAME server certificate on BOTH > server, which you generate manually, and NOT using the one > automatically-created when you install the package (e.g. rpm, deb), > right? > > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
vijay t wrote:
> Please note am "using SASL on my LDAP"... If i create a user in ldap (eg
> 101821 ) server itself i am able to authenticate the user( Please see
> the debug output "1") . Am facing problem only for those users whom am
> using SASL mechanism for userPassword (Please see the debug output "2" )
And again, the debug output tells you what is going wrong. Read it.
{SASL}... is NOT the users clear-text password.
Why is that in the LDAP database? What led you to believe that
FreeRADIUS understands it? You *do* understand how databases work, right?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Hello,
Thanks for the quick response
Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821
) server itself i am able to authenticate the user( Please see the debug output
"1") . Am facing problem only for those users whom am using SASL mechanism for
userPassword (Please see the debug output "2" )
Debug output "1"
rad_recv: Access-Request packet from host 10.168.109.120 port 57709, id=24,
length=58
User-Name = "101821"
User-Password = "q"
NAS-IP-Address = 10.1.109.120
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "101821", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[smbpasswd] returns notfound
[ldap] performing user authorization for 101821
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> 101821
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=101821)
[ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=101821)
request done: ld 0x126be520 msgid 4
[ldap] Added User-Password = q in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user 101821 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "q"
[pap] Using clear text password "q"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 24 to 10.168.109.120 port 57709
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 24 with timestamp +854
Ready to process requests.
Debug output "2"
rad_recv: Access-Request packet from host 10.168.109.120 port 54218, id=100,
length=58
User-Name = "105900"
User-Password = "sbt"
NAS-IP-Address = 10.1.109.120
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "105900", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[smbpasswd] returns notfound
[ldap] performing user authorization for 105900
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> 105900
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=105900)
[ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=105900)
request done: ld 0x126be520 msgid 3
[ldap] Added User-Password = {SASL}suresht in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user 105900 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!
Re: impossible to be authenticated
On 01/17/2012 03:16 AM, ousmane sanogo wrote: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. I assume you did try to authenticate, if so then the answer is above because the server did not report any attempts to connect to it after reporting it was ready to process requests. Bottom line is you're not communicating with the server, you need to fix that. First place to look is your firewall settings. Please do not post anything else until the server is showing it has received and processed a request. We can help you with radius, but we can't fix your network. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
On Tue, Jan 17, 2012 at 7:18 PM, Alberto Martínez wrote: >> The problem is ALWAYS the same. The Wiki page describes the problems, >> and the solutions. > > > That particular error is known to pop out when a Windows client uses a > misconfigured certificate, or the MTU is too high. This case is neither one > nor the other. So just to confirm, you're using the SAME server certificate on BOTH server, which you generate manually, and NOT using the one automatically-created when you install the package (e.g. rpm, deb), right? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-session did no finish! (Linux)
Are we still having problems with this 'never ending' issue? Sending you Alberto another email Date: Tue, 17 Jan 2012 13:18:57 +0100 Subject: Re: EAP-session did no finish! (Linux) From: alberto_marti...@deusto.es To: freeradius-users@lists.freeradius.org The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert. I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. Maybe, but the only change made was the address where to point at. However, i should check that too. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Framed-MTU = 1100 << from debug fragment_size = 1024 << eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween. Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio InformáticoUniversidad de DeustoAvda. de las Universidades, 24 48007 - Bilbao (SPAIN)Phone: +34 - 94 413 90 00 Ext 2684Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
> > The problem is ALWAYS the same. The Wiki page describes the problems, > and the solutions. > That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other. > Try setting up the second server as a brand new server with brand new > certificates. Follow the *documented* process of setting up a new > server with EAP-TLS / PEAP. It *will* work. > I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert. > I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the > client; FreeRADIUS is not receiving the next packet, so either the client > or the AP/switch has dropped / ignored it. > Maybe, but the only change made was the address where to point at. However, i should check that too. > One thing to check is MTU; you've trimmed the debug so it's hard to know, > but usually the next EAP packet would be large(-ish). > Framed-MTU = 1100 << from debug fragment_size = 1024 << eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the > client actually receives the EAP packet, and sends a reply. Likewise the > AP/switch. > > Also check any firewalls inbetween. > Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
On 17/01/12 11:55, vijay t wrote:
My LDAP server uses SASL mechanism for authenticating uid/username
against userPassword. How can I integrate this LDAp server with
FreeRadius server and what all configuration need to be changed ???. On
debug, my radius server shows following error. Kindly suggest
Read this:
http://deployingradius.com/documents/protocols/compatibility.html
And this:
http://deployingradius.com/documents/protocols/oracles.html
Short version: if you need to use "LDAP BIND", you can only support PAP
authentication.
[ldap] expand: %{User-Name} -> google
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google)
[ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google)
request done: ld 0x748c7d0 msgid 9
[ldap] object not found
[ldap] search failed
Your first problem is that the LDAP Search has failed. Fix your LDAP
search filter, or ensure the user exists.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
vijay t wrote: > My LDAP server uses SASL mechanism for authenticating uid/username > against userPassword. How can I integrate this LDAp server with > FreeRadius server and what all configuration need to be changed ???. On > debug, my radius server shows following error. Kindly suggest READ the debug output. FreeRADIUS is querying LDAP, and the LDAP server is returning "seach failed". Fix it so that (a) you're using the correct search parameters, or (b) there's a user in LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius integration with LDAP (SASL)
My LDAP server uses SASL mechanism for authenticating uid/username against
userPassword. How can I integrate this LDAp server with FreeRadius server and
what all configuration need to be changed ???. On debug, my radius server shows
following error. Kindly suggest
Traffic flow as follows:
Radius client--> Radius server--> Ldap server --> SASL Authentication--->
Backend server
rad_recv: Access-Request packet from host 10.168.109.120 port 42911, id=96,
length=58
User-Name = "google"
User-Password = "google@1234"
NAS-IP-Address = 10.1.109.120
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "google", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[smbpasswd] returns notfound
[ldap] performing user authorization for google
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> google
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google)
[ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google)
request done: ld 0x748c7d0 msgid 9
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> google
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 96 to 10.168.109.120 port 42911
Waking up in 4.9 seconds.
Regards
Vijay
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
On 17/01/12 11:11, Alberto Martínez wrote: Hello Alan. "Almost" means the difference between passwords, directories and such. I suspected of the certificate and worked on it, but the error is still there. It's probably the cert. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween. [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation << It should be a start, since it's the first message to arrive No. That's not really true. Ignore that debug message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > "Almost" means the difference between passwords, directories and such. I > suspected of the certificate and worked on it, but the error is still there. The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Hello Alan.
"Almost" means the difference between passwords, directories and such. I
suspected of the certificate and worked on it, but the error is still there.
[eap] EAP packet type response id 1 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation << It should
be a start, since it's the first message to arrive
++[eap] returns updated
.
.
.
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 80 to 192.168.250.250 port 38895
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x6f3ad5846f38cc2e96bfe99ed117c159
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.250.250 port 38895,
id=80, length=264
Sending duplicate reply to client eduroam port 38895 - ID: 80
Sending Access-Challenge of id 80 to 192.168.250.250 port 38895
Waking up in 1.0 seconds.
Cleaning up request 0 ID 80 with timestamp +11
WARNING:
!!
WARNING: !! EAP session for state 0x6f3ad5846f38cc2e did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
Ready to process requests.
So it never establishes an EAP-TLS to begin with.
CA & certificates script: http://pastebin.com/tP1cH2Zx
2012/1/17 Alan DeKok
> Alberto Martínez wrote:
> > Now I'm stuck with this known error:
> > WARNING:
> > !!
> > WARNING: !! EAP session for state 0xcb306879cb32715a did not finish!
> > WARNING: !! Please read
> http://wiki.freeradius.org/Certificate_Compatibility
> > WARNING:
> > !!
>
> Well... that message is pretty clear.
>
> > while trying to authenticate from Windows *and Linux*. I can't find the
> > problem, since the configuration is almost identical to the working one.
>
> *ALMOST* ???
>
> Perhaps that difference is causing the problem.
>
> It would seem to be a reasonable (and rational) assumption.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Alberto Martínez Setién
Servicio Informático
Universidad de Deusto
Avda. de las Universidades, 24
48007 - Bilbao (SPAIN)
Phone: +34 - 94 413 90 00 Ext 2684
Fax:+34 - 94 413 91 01
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > Now I'm stuck with this known error: > WARNING: > !! > WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! > WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility > WARNING: > !! Well... that message is pretty clear. > while trying to authenticate from Windows *and Linux*. I can't find the > problem, since the configuration is almost identical to the working one. *ALMOST* ??? Perhaps that difference is causing the problem. It would seem to be a reasonable (and rational) assumption. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-session did no finish! (Linux)
Hi. I'm having a hard time migrating FR from one server to another. It worked perfectly on the former and I was able to make an EAP-PEAP-MSCHAPV2 auth from both Linux and Windows. Now I'm stuck with this known error: WARNING: !! WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! while trying to authenticate from Windows *and Linux*. I can't find the problem, since the configuration is almost identical to the working one. I would appreciate any indication about the issue. Thank you in advance. freeradius -XC > http://pastebin.com/p6FKumjm -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: impossible to be authenticated
this is some line of debug mode
##"""
freeradius -X
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for mor
