Re: help - PEAP authentication
I will put the test server UP, then I send the configurations files.
Thanks for help me.
Michael Griego wrote:
It will break inside the EAP code, since the EAP code does a sanity
check to make sure the EAP Identity matches the User-Name sent by the NAS.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Luis Daniel Lucio Quiroz wrote:
why dont you try this
modules {
...
# '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = "@"
}
}
and then
authorize {
preprocess
...
suffix
...
}
It should work onthe whay that DN it's rewrited
Letme know if it works for you
Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit :
Hi Michael,
I will see this with Extreme Networks (Brazil).
Thanks for your help.
Michael Griego wrote:
Talk to your NAS vendor. That's completely insane for a NAS to rewrite
the User-Name, not to mention a violation of RFC 3579.
--Mike
Israel Fabio Alves wrote:
Hi,
I need help to solve a problem.
My configuration work 100% with Switch Cisco 2950.
Now I need use Switch from Extreme Networks (Summit 1i), but this
Switch sent request to Freeradius with this "[EMAIL PROTECTED]".
I think use attr_rewrite to change the request from this
"[EMAIL PROTECTED]" to "windowsdomain\username", but I do not
find the way to organize the information with attr_rewrite and I do
not know if this will work for authentication.
Someone have a idea how I solve this.
Very thanks.
Israel Alves
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Israel Alves - Gerente de Infraestrutura
Quantiza Systems - 55(51) 598-2343
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help - PEAP authentication
Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP authentication + Windows DOMAIN
Hi,
I try to authenticate user Windows XP + PEAP + MSCHAPV2. The
authetication using user + password + domain.
Always occur de same error: rlm_eap: Identity does not match User-Name,
setting from EAP Identity.
Thanks for help.
tp-opengate:/usr/local/radius/etc/raddb# /usr/local/radius/sbin/radiusd
-X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=NTRSSRV
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/openssl/ssl/misc/radius/newreq.pem"
tls: certificate_file = "/usr/local/openssl/ssl/misc/radius/newcert.pem"
tls: CA_file = "/usr/local/openssl/ssl/misc/radius/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/openssl/ssl/misc/radius/dh"
tls: random_file = "/usr/local/openssl/ssl/misc/radius/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = yes
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/radius/var/log/ra
Re: Help with PEAP
Hi,
Someone have idea about this problem??
Thanks for help me,
Israel.
Israel Fabio Alves wrote:
Hi,
If I do tests without domain, the authentication run OK.
If I do tests with user + password + domain, occur the information bellow:
tcpdump -n -i eth0 -vv -s 0 -X udp and \( port 1812 or port 1813 \)
19:41:06.403013 172.22.2.32.2064 > 172.22.2.150.1812: [udp sum ok]
rad-access-req 98 [id 99] Attr[ [EMAIL PROTECTED] EAP_msg{..}
NAS_ipaddr{172.22.2.32} Service_type{Login} Calling_station{0.0.0.0}
NAS_port_type{Ethernet} Message_auth{Y[ZLFIb..'.<} ] (ttl 30, id
38919, len 126)
0x 4500 007e 9807 1e11 a785 ac16 0220E..~
0x0010 ac16 0296 0810 0714 006a 1477 0163 0062.j.w.c.b
0x0020 0ce1 0e32 7afc 2694...2..z...&.
0x0030 010e 6973 7261 656c 4054 4553 5445 4f13[EMAIL PROTECTED]
0x0040 0206 0011 0154 4553 5445 5c69 7372 6165.TESTE\israe
0x0050 6c04 06ac 1602 2006 0600 011f 0930l..0
0x0060 2e30 2e30 2e30 3d06 000f 5012 595b.0.0.0=.P.Y[
0x0070 dea3 eef7 5a4c 4649 62ef 8327 083c ZLFIb..'.<
19:41:06.410197 172.22.2.150.1812 > 172.22.2.32.2064: [udp sum ok]
rad-access-reject 20 [id 99] (DF) (ttl 64, id 0, len 48)
0x 4500 0030 4000 4011 ddda ac16 0296[EMAIL PROTECTED]@...
0x0010 ac16 0220 0714 0810 001c 446d 0363 0014..Dm.c..
0x0020 8e98 4517 d1fc ace0 55b2 f401 e0da ceae..E.U...
/usr/local/radius/sbin/radiusd -X -A
Ready to process requests.
rad_recv: Access-Request packet from host 172.22.2.32:2065, id=86,
length=98
User-Name = "[EMAIL PROTECTED]"
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "TESTE"
rlm_realm: Adding Stripped-User-Name = "israel"
rlm_realm: Proxying request from user israel to realm TESTE
rlm_realm: Adding Realm = "TESTE"
rlm_realm: Preparing to proxy authentication request to realm "TESTE"
modcall[authorize]: module "TESTE" returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing
EAP.
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry israel at line 216
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314
modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 0 to 127.0.0.1:1812
User-Name = "israel"
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x
Proxy-State = 0x3836
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1814, id=0, length=96
User-Name = "israel"
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0xb8f016bb4a4bdd82c395a5f43d058bb1
Proxy-State = 0x3836
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "israel", looking up realm NULL
rlm_realm: No
Re: Help with PEAP
rlm_eap: EAP packet type response id 7 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry israel at line 216
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [israel/] (from client
localhost port 0 cli 0.0.0.0)
Sending Access-Reject of id 0 to 127.0.0.1:1814
Proxy-State = 0x3836
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=0, length=24
Proxy-State = 0x3836
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314
modcall[post-proxy]: module "post_proxy_log" returns ok for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns ok for request 0
Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0)
Sending Access-Reject of id 86 to 172.22.2.32:2065
Finished request 0
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 0 with timestamp 4236135b
Cleaning up request 0 ID 86 with timestamp 4236135b
Nothing to do. Sleeping until we see a request.
cat
/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314
Packet-Type = Access-Reject
Mon Mar 14 19:42:35 2005
Proxy-State = 0x3836
cat
/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314
Packet-Type = Access-Request
Mon Mar 14 19:42:35 2005
User-Name = "israel"
EAP-Message = 0x020700110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc
Client-IP-Address = 172.22.2.32
Stripped-User-Name = "israel"
Realm = "TESTE"
EAP-Type = Identity
Realm = "TESTE"
Proxy-State = 0x3836
Israel Fabio Alves wrote:
Hi,
I need help to configure Freeradius to authenticate Windows XP users
with PEAP + MSCHAPV2.
I need authenticate users using the "username + password + domain".
There is someone that run this that can help me??
Very thanks,
Israel.
--
Israel Alves - Gerente de Infraestrutura
Quantiza Systems - 55(51) 598-2343
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with PEAP
Hi, I need help to configure Freeradius to authenticate Windows XP users with PEAP + MSCHAPV2. I need authenticate users using the "username + password + domain". There is someone that run this that can help me?? Very thanks, Israel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy PEAP+MSCHAPV2
Hi,
Is the FreeRadius Server.
Ron Wahler wrote:
Is the FreeRadius Server a client of IAS ?
Ron.
http://www.positive-logic.net
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Alves
Sent: Sunday, January 30, 2005 11:44 AM
To: freeradius-users@lists.freeradius.org
Subject: Proxy PEAP+MSCHAPV2
Hi,
I want to do proxy of users authentication [EMAIL PROTECTED], this is generated
with
domain login of Windows XP.
I configured the freeradius server that receive the request for do proxy to
a
second server.
When I try a connection with Windows XP, I receive the error bellow on the
first server, then more bellow, I put the result of second freeradius
server:
rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing
EAP.
rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254,
length=98
User-Name = "[EMAIL PROTECTED]"
EAP-Message = 0x020100110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%
d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "TESTE" for User-Name = "israel TESTE"
rlm_realm: Found realm "TESTE"
rlm_realm: Adding Stripped-User-Name = "israel"
rlm_realm: Proxying request from user israel to realm TESTE
rlm_realm: Adding Realm = "TESTE"
rlm_realm: Preparing to proxy authentication request to realm "TESTE"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing
EAP.
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 172.22.3.69:1812
User-Name = "israel"
EAP-Message = 0x020100110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x
Proxy-State = 0x323534
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108
Extreme-Netlogin-Url = "http://172.22.2.180";
Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "servers"
Proxy-State = 0x323534
Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254,
length=98
Sending Access-Reject of id 254 to 172.22.2.32:1746
Extreme-Netlogin-Url = "http://172.22.2.180";
Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "servers"
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 172.22.0.47:1814, id=0, length=97
User-Name = "israel"
EAP-Message = 0x020100110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x0195a000df15f453a0effe23b403fb50
Proxy-State = 0x323534
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%
d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_realm: No ' ' in User-Name = "israel", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched israel at 18
modcall[authorize]: module "files" returns o
Re: proxy problem
e-Authenticator = 0x1f5c6cb62a3a7fba84c5275ab4fd1f86
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "israel", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 28
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched israel at 18
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
Sending Access-Request of id 1 to 172.22.3.69:1812
User-Name = "israel"
EAP-Message =
0x0202001c04105aaa04a104713a480168c2e8a600717669737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xecf53721b73e9b5edbb4c1c5be1dc48f
Message-Authenticator = 0x
Proxy-State = 0x3237
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 172.22.3.69:1812, id=1, length=145
Service-Type = Login-User
Extreme-Netlogin-Url = "http://172.22.2.180";
Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "servers"
EAP-Message = 0x03020004
Message-Authenticator = 0x5cdf497509b31d38c99f9f3f06f4f9bf
User-Name = "israel"
Proxy-State = 0x3237
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 1
modcall[authorize]: module "eap" returns noop for request 1
users: Matched israel at 18
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [israel/] (from client extreme
port 0 cli 0.0.0.0)
Sending Access-Accept of id 27 to 172.22.2.32:1753
Service-Type = Login-User
Extreme-Netlogin-Url = "http://172.22.2.180";
Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "servers"
EAP-Message = 0x03020004
Message-Authenticator = 0x
User-Name = "israel"
Finished request 1
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 23 with timestamp 41fa9c9a
Cleaning up request 1 ID 27 with timestamp 41fa9c9a
Nothing to do. Sleeping until we see a request.
Thanks for help me.
Dustin Doris wrote:
Post your debug output (radiusd -X), with both a successful and
unsuccessful login.
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
If I do a test, login without domain, only with username and password,
the authentication occurs.
We can see this information in the files "proxy1.txt" and "realmTESTE1.txt"
If someone can help me.
Very Thanks.
Israel Fabio Alves wrote:
The file "proxy.txt" is the freeradius that receive de request from Switch.
The file "realmTESTE.txt" is the freeradius that will authenticate users
for domain TESTE. At this moment, the autentication is in files.
Dustin Doris wrote:
Do you have nostrip setup in proxy.conf to not strip the username?
Please
post debug
Re: proxy problem
If I do a test, login without domain, only with username and password, the authentication occurs. We can see this information in the files "proxy1.txt" and "realmTESTE1.txt" If someone can help me. Very Thanks. Israel Fabio Alves wrote: The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = n
Re: proxy problem
The file "proxy.txt" is the freeradius that receive de request from Switch.
The file "realmTESTE.txt" is the freeradius that will authenticate users
for domain TESTE. At this moment, the autentication is in files.
Dustin Doris wrote:
Do you have nostrip setup in proxy.conf to not strip the username? Please
post debug info (radiusd -X).
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
I do not know right if is a problem of freeradius, it is possible that
is my configuration.
When I do a test using just the user and password, I loggin OK, but when
using username, password and domain, occurr the login failed.
If somebody have information taht help me, I will very happy.
Alan DeKok wrote:
Israel Fabio Alves <[EMAIL PROTECTED]> wrote:
I try to do 802.1x with proxy autentication, when user loggin from
Windows XP, he put username, password and domain. The Switch will send a
request authentication for a freeradius server, that will proxy the
request conform user domain. When a try this, I get the erros bellow.
What part of the errors are unclear?
Sending Access-Request of id 0 to 172.22.3.69:1812
...
rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108
The other server rejected the user. Why would you think this is a
problem in FreeRADIUS?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Israel Alves - Gerente de Infraestrutura
Quantiza Systems - 55(51) 598-2343
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Israel Alves - Gerente de Infraestrutura
Quantiza Systems - 55(51) 598-2343
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirper
Re: proxy problem
I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy problem
Hi,
I try to do 802.1x with proxy autentication, when user loggin from
Windows XP, he put username, password and domain. The Switch will send a
request authentication for a freeradius server, that will proxy the
request conform user domain. When a try this, I get the erros bellow.
If I use the exemple bellow, I authenticate 100%.
"israel" User-Password == "xteste", Proxy-To-Realm := TESTE
Service-Type = Login,
Debug of server that Switch request de authentication:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = y
Problem - proxy peap + mschapv2
Hi, i need help. I configured freeradius to authenticate users in Openldap using samba password, it's working 100%. Now a configured other freeradius server to route the information of users conform Windows Domain Name, then a configured proxy.conf for this. When I do a test, occurr ther error bellow: " rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP." rad_recv: Access-Request packet from host 172.22.2.32:1520, id=218, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x3bd8b99f86bf11e0fd40509088fac01a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 4 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: group authorize returns updated for request 4 Sending Access-Request of id 4 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323138 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=4, length=25 Proxy-State = 0x323138 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 4 modcall[post-proxy]: module "eap" returns noop for request 4 modcall: group post-proxy returns noop for request 4 Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1520, id=218, length=98 Sending Access-Reject of id 218 to 172.22.2.32:1520 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 218 with timestamp 41f12c0d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.22.0.47:1814, id=4, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0xf46be4650830b6c5e442cc2756cf7411 Proxy-State = 0x323138 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value E16089130E8B7BEE87E6FF312E5B8312 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value E42C92D3C5AE8D6AE68AA26A841A86FA & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" return
PEAP + OpenLDAP
Hi,
I tried to configure Windows XP to autenthicate with 802.1x using PEAP +
MSCHAPV2.
The freeradius 1.0.1 was configured to search user information in
OpenLdap. In the same computer where is installed freeradius, I have the
OpenLdap + Samba server "version 2.2.12" that store users passwords in
OpenLDAP.
If a configure the autenticate to occur as "file" the autHentication is
100%, but when configured to OpenLdap, I always get the error bellow:
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x
PEAP: Processing from tunneled session code 0x817f5c8 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
Debug file:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=admin,dc=testdomain,dc=com"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "xtopazio"
ldap: basedn = "dc=testdomain,dc=com"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "radiusProfileDn"
ldap: password_header = "{CRYPT}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/radius/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap:
Re: LDAP, PEAP, Active Directory issue
# Livingston-style 'users' file
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
authorize {
preprocess
#chap
#mschap
#suffix
# ntdomain
eap
#files
# sql
# etc_smbpasswd
ldap
# daily
# checkval
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
#unix
Re: LDAP, PEAP, Active Directory issue
Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: AJ Grinnell <[EMAIL PROTECTED]> wrote: Ok, I have peap working with the users file and with mysql, and I have radius working with ldap also. But I can not get a user to authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. but peap and ldap should work from what I have read. PEAP is a type of EAP. the debug that I am seeing is very long, so I have included the part where I am seeing an obvious error. The part where is says it doesn't have a password? rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
