Re: Freeradius & vpn issue
Guillermo Bayon del Oso wrote: > I'm a non native speaker, so please accept my apologies if I'm not > totally clear with my language. It's an issue with a net equipment that > implements VPN connections and an the authentication server (implemented > with Freeradius). Your language is fine. > We work with several software providers who connect with our Intranet > through the VPN, in order to make their web applications maintenance > tasks. The clients are connected without problems for a long period of > time during the night. But eventually the Freeradius (or vpn appliance, > we don't know for certain) suddently disconnect the clients from the VPN > during the next day in the morning (when our partners are working). > Actually several times (maybe 6 times). If the user gets connected for a time, and THEN disconnected: blame the NAS (or VPN appliance). The explanation is simple: the user is allowed on the network after talking to FreeRADIUS. Then, without talking to FreeRADIUS, the user is disconnected. It can't be a FreeRADIUS issue. > The error we've seen in the log (we've used radmin and raddebug tools) is: > > "Acct-Terminate-Cause = 0" > > But in the Radius Accounting RFC > (http://freeradius.org/rfc/rfc2866.html) this value is not permitted > (possible values are 1-18). Ah, yes. The VPN software is broken. This is fairly common. FreeRADIUS follows the RFCs. NAS / VPN software... not so much. > , , and aren't real values > (they're masked for privacy) although I think the error isn't related to > them. > Thank you very much in advance!! Call up the vendor of the VPN appliance, and ask them why their product doesn't work. If they argue, point out that I'm the author / co-author of many RADIUS RFCs, include 5080, 6158, and others. They can believe their internal engineers who know nothing about RADIUS. Or, they can believe someone who wrote the specifications describing the protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius & vpn issue
Hello! Could someone please kindly help me with a Freeradius & VPN issue? Any help would be very appreciated! I'm a non native speaker, so please accept my apologies if I'm not totally clear with my language. It's an issue with a net equipment that implements VPN connections and an the authentication server (implemented with Freeradius). We work with several software providers who connect with our Intranet through the VPN, in order to make their web applications maintenance tasks. The clients are connected without problems for a long period of time during the night. But eventually the Freeradius (or vpn appliance, we don't know for certain) suddently disconnect the clients from the VPN during the next day in the morning (when our partners are working). Actually several times (maybe 6 times). They should login again (via automated pppd script and a watchdog). This watchdog also tries to keep open the VPN and if it's not open, it tries to reconnect the VPN again (like a heartbeat). The error we've seen in the log (we've used radmin and raddebug tools) is: "Acct-Terminate-Cause = 0" But in the Radius Accounting RFC (http://freeradius.org/rfc/rfc2866.html) this value is not permitted (possible values are 1-18). This is a piece of log, where you can see when a client disconnect from the vpn: Mon Jan 16 09:19:54 2012 Acct-Session-Id = "" Tunnel-Server-Endpoint:0 = "" Tunnel-Client-Endpoint:0 = "" Tunnel-Assignment-Id:0 = "PPTP" Framed-Protocol = PPP Framed-IP-Address = User-Name = "" Acct-Authentic = RADIUS Acct-Terminate-Cause = 0 Acct-Session-Time = 125159 Acct-Input-Octets = 1312452 Acct-Output-Octets = 2391455 Acct-Input-Packets = 19372 Acct-Output-Packets = 25170 Acct-Status-Type = Stop NAS-Port-Type = Virtual NAS-Port = 323 Service-Type = Framed-User NAS-IP-Address = Acct-Delay-Time = 0 Huntgroup-Name = "PPTP" Acct-Unique-Session-Id = "" Stripped-User-Name = "" Realm = "NULL" Timestamp = 1326701994 Request-Authenticator = Verified , , and aren't real values (they're masked for privacy) although I think the error isn't related to them. Thank you very much in advance!! Guillermo. --- Guillermo Bayon del Oso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Alan DeKok wrote: > Ignorance is understandable. You have *never* seen be get annoyed at It's getting late here. I need to go home and rest. What I meant to say was you've never seen me get annoyed at people for being ignorant. There are tons of things I don't know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > I've just purged FR, reinstalled, issued new certs, and I'm getting the > same error while trying to authenticate from Linux. > > Now I'll post the whole debug: Follow the EAP howto on my web page: http://deployingradius.com I don't know what's wrong with your setup. There are a lot of moving parts in EAP authentication, and it's easy for something to go wrong. Following my Howto will either (a) work, or (b) tell you exactly what is going wrong. Posting the debug output with the *same* message is not helping. Also, the fact that the NAS retransmits the Access-Request is a problem. No, it's not a RADIUS problem. It's likely a problem with the NAS. Go look at *it's* logs to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
John Dennis wrote: > I have an alternate explanation. People construct convoluted systems > because they lack a clear mental model of what is going on. Without an > overarching understanding they either flail about or they take what they > presume is the shortest path to a solution (e.g. LDAP can authenticate, > I'll just use that). They lack a clear process. The *correct* process is documented in the radiusd "man" page, the wiki, and elsewhere. The EAP "howto" on my web page walks through this process in excruciating detail. Ignorance is understandable. You have *never* seen be get annoyed at someone for being ignorant. You *have* seen me get annoyed at people who refuse to learn. > What is really missing is a simple document which ties all the pieces > together so a newbie can form a mental model and design a uncomplicated > efficient system. (Yes, I know, an old topic) Yup. > I'm willing to bet most of the old hands on this list were also > befuddled early on and the clarity was only arrived at by diligently > peeling back the layers and learning each piece of the puzzle. For me, "diligent" == "having a good method". Method is *more* important than memorizing information. Why would you do that? You can get information about anything via "google". > That's > not something a sys admin can do when he/she is given a week to deploy a > RADIUS solution especially if they haven't had extensive formal training > with networking, system services and authentication. Yup. If I know nothing about car maintenance, I expect my mechanic to get annoyed when I try to do it myself, ask him questions, *and* make it clear I haven't read the manual. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
David Mitton wrote: > Aww, come on guys. Are such abusive speculations necessary? I've formed my opinions after reading the posts on this list. They generally fall into two categories. The first gives useful information, follows instructions, and gets the problem solved. The second doesn't do any of that. It's really that simple. I've been saying it for ~8 years, and haven't seen any reason to change. Look at the posts from the OP. The debug log shows what the errors are. The "help" on this list is largely just pointing out the messages from the debug log. The real abuse is from people who engage in name-calling, insults, curses, etc. Those people now get unsubscribed. Being factual? That may be hard to take for sensitive people. It's not abusive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
On Tue, Jan 17, 2012 at 9:07 PM, Alberto Martínez wrote: > Of course not. So you're NOT using the same certificate? > Give me some credit. BUT, in case I did, the debug would show > an ugly TLS error instead of an error referencing a whole other issue. Actually, it'd be much easier to use the same certificates. The non-working one might be missing xpextension. Just something else to check. If you've used the same certificate, identical (or similar-enough) FR configs, one success and the other doesn't, then it's 100% not certificate issue. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult! Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above. Never ascribe to malice what can be attributed to ignorance. I have an alternate explanation. People construct convoluted systems because they lack a clear mental model of what is going on. Without an overarching understanding they either flail about or they take what they presume is the shortest path to a solution (e.g. LDAP can authenticate, I'll just use that). What is really missing is a simple document which ties all the pieces together so a newbie can form a mental model and design a uncomplicated efficient system. (Yes, I know, an old topic) I'm willing to bet most of the old hands on this list were also befuddled early on and the clarity was only arrived at by diligently peeling back the layers and learning each piece of the puzzle. That's not something a sys admin can do when he/she is given a week to deploy a RADIUS solution especially if they haven't had extensive formal training with networking, system services and authentication. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Quoting Alan DeKok : Phil Mayers wrote: On 17/01/12 14:04, Alan DeKok wrote: I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult! Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above. Alan DeKok. Aww, come on guys. Are such abusive speculations necessary? Never ascribe to malice that which is adequately explained by incompetence see http://en.wikipedia.org/wiki/Hanlon's_razor Though I'm more of a Heinlein fan myself. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Phil Mayers wrote: > On 17/01/12 14:04, Alan DeKok wrote: > IIRC that's a special value that OpenLDAP uses; "{SASL}username" tells > OpenLDAP to use the SASL library, with the username after the } and the > password given in the bind request. Sure. But then LDAP should go do that lookup! > So, he's using LDAP as an oracle to talk to an oracle. Maybe there's > another oracle in there somewhere... Probably. As he said, it's FreeRADIUS -> LDAP -> SASL But... the debug log shows FreeRADIUS -> LDAP. So the LDAP-SASL link is broken. Is that a RADIUS problem? Nope. > I guess he needs to set "Auth-Type"... I don't know why people construct > these Heath Robinson systems that make their lives difficult! Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
On 17/01/12 13:39, vijay t wrote: [ldap] Added User-Password = {SASL}suresht in check items This is all wrong. {SASL}user is only meaningful to the LDAP server. You'll just confuse FreeRADIUS with this; it won't work. You need to understand what you're trying to accomplish: 1. PAP request comes into FreeRADIUS 2. FreeRADIUS performs LDAP search to find LDAP user DN 3. FreeRADIUS makes LDAP BIND with LDAP user DN & PAP password Instead, you have FreeRADIUS doing this: 1. PAP request comes into FreeRADIUS 2. FreeRADIUS performs LDAP search to find LDAP user DN and "plaintext password" 3. FreeRADIUS tries to perform authentication locally using the "plaintext" password (actually {SASL}username) I'm not sure how you can accomplish what you want. You probably need to "hide" userPassword from FreeRADIUS, so that it can't see it. Basically, you're doing something weird. You're going to have to try and figure this out yourself, to a large extent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > Of course not. Give me some credit. BUT, in case I did, the debug would > show an ugly TLS error instead of an error referencing a whole other issue. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
On 17/01/12 14:04, Alan DeKok wrote: vijay t wrote: Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" ) And again, the debug output tells you what is going wrong. Read it. {SASL}... is NOT the users clear-text password. IIRC that's a special value that OpenLDAP uses; "{SASL}username" tells OpenLDAP to use the SASL library, with the username after the } and the password given in the bind request. So, he's using LDAP as an oracle to talk to an oracle. Maybe there's another oracle in there somewhere... I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Of course not. Give me some credit. BUT, in case I did, the debug would show an ugly TLS error instead of an error referencing a whole other issue. Thanks for your replies anyway. 2012/1/17 Fajar A. Nugraha > On Tue, Jan 17, 2012 at 7:18 PM, Alberto Martínez > wrote: > >> The problem is ALWAYS the same. The Wiki page describes the problems, > >> and the solutions. > > > > > > That particular error is known to pop out when a Windows client uses a > > misconfigured certificate, or the MTU is too high. This case is neither > one > > nor the other. > > So just to confirm, you're using the SAME server certificate on BOTH > server, which you generate manually, and NOT using the one > automatically-created when you install the package (e.g. rpm, deb), > right? > > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
vijay t wrote: > Please note am "using SASL on my LDAP"... If i create a user in ldap (eg > 101821 ) server itself i am able to authenticate the user( Please see > the debug output "1") . Am facing problem only for those users whom am > using SASL mechanism for userPassword (Please see the debug output "2" ) And again, the debug output tells you what is going wrong. Read it. {SASL}... is NOT the users clear-text password. Why is that in the LDAP database? What led you to believe that FreeRADIUS understands it? You *do* understand how databases work, right? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
Hello, Thanks for the quick response Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" ) Debug output "1" rad_recv: Access-Request packet from host 10.168.109.120 port 57709, id=24, length=58 User-Name = "101821" User-Password = "q" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "101821", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for 101821 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 101821 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=101821) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=101821) request done: ld 0x126be520 msgid 4 [ldap] Added User-Password = q in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user 101821 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "q" [pap] Using clear text password "q" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 24 to 10.168.109.120 port 57709 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 24 with timestamp +854 Ready to process requests. Debug output "2" rad_recv: Access-Request packet from host 10.168.109.120 port 54218, id=100, length=58 User-Name = "105900" User-Password = "sbt" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "105900", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for 105900 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 105900 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=105900) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=105900) request done: ld 0x126be520 msgid 3 [ldap] Added User-Password = {SASL}suresht in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user 105900 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!
Re: impossible to be authenticated
On 01/17/2012 03:16 AM, ousmane sanogo wrote: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. I assume you did try to authenticate, if so then the answer is above because the server did not report any attempts to connect to it after reporting it was ready to process requests. Bottom line is you're not communicating with the server, you need to fix that. First place to look is your firewall settings. Please do not post anything else until the server is showing it has received and processed a request. We can help you with radius, but we can't fix your network. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
On Tue, Jan 17, 2012 at 7:18 PM, Alberto Martínez wrote: >> The problem is ALWAYS the same. The Wiki page describes the problems, >> and the solutions. > > > That particular error is known to pop out when a Windows client uses a > misconfigured certificate, or the MTU is too high. This case is neither one > nor the other. So just to confirm, you're using the SAME server certificate on BOTH server, which you generate manually, and NOT using the one automatically-created when you install the package (e.g. rpm, deb), right? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-session did no finish! (Linux)
Are we still having problems with this 'never ending' issue? Sending you Alberto another email Date: Tue, 17 Jan 2012 13:18:57 +0100 Subject: Re: EAP-session did no finish! (Linux) From: alberto_marti...@deusto.es To: freeradius-users@lists.freeradius.org The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert. I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. Maybe, but the only change made was the address where to point at. However, i should check that too. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Framed-MTU = 1100 << from debug fragment_size = 1024 << eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween. Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio InformáticoUniversidad de DeustoAvda. de las Universidades, 24 48007 - Bilbao (SPAIN)Phone: +34 - 94 413 90 00 Ext 2684Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
> > The problem is ALWAYS the same. The Wiki page describes the problems, > and the solutions. > That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other. > Try setting up the second server as a brand new server with brand new > certificates. Follow the *documented* process of setting up a new > server with EAP-TLS / PEAP. It *will* work. > I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert. > I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the > client; FreeRADIUS is not receiving the next packet, so either the client > or the AP/switch has dropped / ignored it. > Maybe, but the only change made was the address where to point at. However, i should check that too. > One thing to check is MTU; you've trimmed the debug so it's hard to know, > but usually the next EAP packet would be large(-ish). > Framed-MTU = 1100 << from debug fragment_size = 1024 << eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the > client actually receives the EAP packet, and sends a reply. Likewise the > AP/switch. > > Also check any firewalls inbetween. > Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
On 17/01/12 11:55, vijay t wrote: My LDAP server uses SASL mechanism for authenticating uid/username against userPassword. How can I integrate this LDAp server with FreeRadius server and what all configuration need to be changed ???. On debug, my radius server shows following error. Kindly suggest Read this: http://deployingradius.com/documents/protocols/compatibility.html And this: http://deployingradius.com/documents/protocols/oracles.html Short version: if you need to use "LDAP BIND", you can only support PAP authentication. [ldap] expand: %{User-Name} -> google [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google) request done: ld 0x748c7d0 msgid 9 [ldap] object not found [ldap] search failed Your first problem is that the LDAP Search has failed. Fix your LDAP search filter, or ensure the user exists. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius integration with LDAP (SASL)
vijay t wrote: > My LDAP server uses SASL mechanism for authenticating uid/username > against userPassword. How can I integrate this LDAp server with > FreeRadius server and what all configuration need to be changed ???. On > debug, my radius server shows following error. Kindly suggest READ the debug output. FreeRADIUS is querying LDAP, and the LDAP server is returning "seach failed". Fix it so that (a) you're using the correct search parameters, or (b) there's a user in LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius integration with LDAP (SASL)
My LDAP server uses SASL mechanism for authenticating uid/username against userPassword. How can I integrate this LDAp server with FreeRadius server and what all configuration need to be changed ???. On debug, my radius server shows following error. Kindly suggest Traffic flow as follows: Radius client--> Radius server--> Ldap server --> SASL Authentication---> Backend server rad_recv: Access-Request packet from host 10.168.109.120 port 42911, id=96, length=58 User-Name = "google" User-Password = "google@1234" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "google", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for google [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> google [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google) request done: ld 0x748c7d0 msgid 9 [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> google attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 Sending Access-Reject of id 96 to 10.168.109.120 port 42911 Waking up in 4.9 seconds. Regards Vijay -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
On 17/01/12 11:11, Alberto Martínez wrote: Hello Alan. "Almost" means the difference between passwords, directories and such. I suspected of the certificate and worked on it, but the error is still there. It's probably the cert. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween. [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation << It should be a start, since it's the first message to arrive No. That's not really true. Ignore that debug message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > "Almost" means the difference between passwords, directories and such. I > suspected of the certificate and worked on it, but the error is still there. The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Hello Alan. "Almost" means the difference between passwords, directories and such. I suspected of the certificate and worked on it, but the error is still there. [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation << It should be a start, since it's the first message to arrive ++[eap] returns updated . . . Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 80 to 192.168.250.250 port 38895 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x6f3ad5846f38cc2e96bfe99ed117c159 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.250.250 port 38895, id=80, length=264 Sending duplicate reply to client eduroam port 38895 - ID: 80 Sending Access-Challenge of id 80 to 192.168.250.250 port 38895 Waking up in 1.0 seconds. Cleaning up request 0 ID 80 with timestamp +11 WARNING: !! WARNING: !! EAP session for state 0x6f3ad5846f38cc2e did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. So it never establishes an EAP-TLS to begin with. CA & certificates script: http://pastebin.com/tP1cH2Zx 2012/1/17 Alan DeKok > Alberto Martínez wrote: > > Now I'm stuck with this known error: > > WARNING: > > !! > > WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! > > WARNING: !! Please read > http://wiki.freeradius.org/Certificate_Compatibility > > WARNING: > > !! > > Well... that message is pretty clear. > > > while trying to authenticate from Windows *and Linux*. I can't find the > > problem, since the configuration is almost identical to the working one. > > *ALMOST* ??? > > Perhaps that difference is causing the problem. > > It would seem to be a reasonable (and rational) assumption. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-session did no finish! (Linux)
Alberto Martínez wrote: > Now I'm stuck with this known error: > WARNING: > !! > WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! > WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility > WARNING: > !! Well... that message is pretty clear. > while trying to authenticate from Windows *and Linux*. I can't find the > problem, since the configuration is almost identical to the working one. *ALMOST* ??? Perhaps that difference is causing the problem. It would seem to be a reasonable (and rational) assumption. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-session did no finish! (Linux)
Hi. I'm having a hard time migrating FR from one server to another. It worked perfectly on the former and I was able to make an EAP-PEAP-MSCHAPV2 auth from both Linux and Windows. Now I'm stuck with this known error: WARNING: !! WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! while trying to authenticate from Windows *and Linux*. I can't find the problem, since the configuration is almost identical to the working one. I would appreciate any indication about the issue. Thank you in advance. freeradius -XC > http://pastebin.com/p6FKumjm -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: impossible to be authenticated
this is some line of debug mode ##""" freeradius -X radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for mor