Re: help - PEAP authentication
I will put the test server UP, then I send the configurations files. Thanks for help me. Michael Griego wrote: It will break inside the EAP code, since the EAP code does a sanity check to make sure the EAP Identity matches the User-Name sent by the NAS. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Luis Daniel Lucio Quiroz wrote: why dont you try this modules { ... # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" } } and then authorize { preprocess ... suffix ... } It should work onthe whay that DN it's rewrited Letme know if it works for you Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit : Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help - PEAP authentication
Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP authentication + Windows DOMAIN
Hi, I try to authenticate user Windows XP + PEAP + MSCHAPV2. The authetication using user + password + domain. Always occur de same error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. Thanks for help. tp-opengate:/usr/local/radius/etc/raddb# /usr/local/radius/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=NTRSSRV --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/openssl/ssl/misc/radius/newreq.pem" tls: certificate_file = "/usr/local/openssl/ssl/misc/radius/newcert.pem" tls: CA_file = "/usr/local/openssl/ssl/misc/radius/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/openssl/ssl/misc/radius/dh" tls: random_file = "/usr/local/openssl/ssl/misc/radius/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/ra
Re: Help with PEAP
Hi, Someone have idea about this problem?? Thanks for help me, Israel. Israel Fabio Alves wrote: Hi, If I do tests without domain, the authentication run OK. If I do tests with user + password + domain, occur the information bellow: tcpdump -n -i eth0 -vv -s 0 -X udp and \( port 1812 or port 1813 \) 19:41:06.403013 172.22.2.32.2064 > 172.22.2.150.1812: [udp sum ok] rad-access-req 98 [id 99] Attr[ [EMAIL PROTECTED] EAP_msg{..} NAS_ipaddr{172.22.2.32} Service_type{Login} Calling_station{0.0.0.0} NAS_port_type{Ethernet} Message_auth{Y[ZLFIb..'.<} ] (ttl 30, id 38919, len 126) 0x 4500 007e 9807 1e11 a785 ac16 0220E..~ 0x0010 ac16 0296 0810 0714 006a 1477 0163 0062.j.w.c.b 0x0020 0ce1 0e32 7afc 2694...2..z...&. 0x0030 010e 6973 7261 656c 4054 4553 5445 4f13[EMAIL PROTECTED] 0x0040 0206 0011 0154 4553 5445 5c69 7372 6165.TESTE\israe 0x0050 6c04 06ac 1602 2006 0600 011f 0930l..0 0x0060 2e30 2e30 2e30 3d06 000f 5012 595b.0.0.0=.P.Y[ 0x0070 dea3 eef7 5a4c 4649 62ef 8327 083c ZLFIb..'.< 19:41:06.410197 172.22.2.150.1812 > 172.22.2.32.2064: [udp sum ok] rad-access-reject 20 [id 99] (DF) (ttl 64, id 0, len 48) 0x 4500 0030 4000 4011 ddda ac16 0296[EMAIL PROTECTED]@... 0x0010 ac16 0220 0714 0810 001c 446d 0363 0014..Dm.c.. 0x0020 8e98 4517 d1fc ace0 55b2 f401 e0da ceae..E.U... /usr/local/radius/sbin/radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:2065, id=86, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "TESTE" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry israel at line 216 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0 modcall: group pre-proxy returns ok for request 0 Sending Access-Request of id 0 to 127.0.0.1:1812 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x3836 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1814, id=0, length=96 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0xb8f016bb4a4bdd82c395a5f43d058bb1 Proxy-State = 0x3836 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "israel", looking up realm NULL rlm_realm: No
Re: Help with PEAP
rlm_eap: EAP packet type response id 7 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry israel at line 216 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [israel/] (from client localhost port 0 cli 0.0.0.0) Sending Access-Reject of id 0 to 127.0.0.1:1814 Proxy-State = 0x3836 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=0, length=24 Proxy-State = 0x3836 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314 modcall[post-proxy]: module "post_proxy_log" returns ok for request 0 modcall[post-proxy]: module "eap" returns noop for request 0 modcall: group post-proxy returns ok for request 0 Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0) Sending Access-Reject of id 86 to 172.22.2.32:2065 Finished request 0 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 0 with timestamp 4236135b Cleaning up request 0 ID 86 with timestamp 4236135b Nothing to do. Sleeping until we see a request. cat /usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314 Packet-Type = Access-Reject Mon Mar 14 19:42:35 2005 Proxy-State = 0x3836 cat /usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314 Packet-Type = Access-Request Mon Mar 14 19:42:35 2005 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc Client-IP-Address = 172.22.2.32 Stripped-User-Name = "israel" Realm = "TESTE" EAP-Type = Identity Realm = "TESTE" Proxy-State = 0x3836 Israel Fabio Alves wrote: Hi, I need help to configure Freeradius to authenticate Windows XP users with PEAP + MSCHAPV2. I need authenticate users using the "username + password + domain". There is someone that run this that can help me?? Very thanks, Israel. -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with PEAP
Hi, I need help to configure Freeradius to authenticate Windows XP users with PEAP + MSCHAPV2. I need authenticate users using the "username + password + domain". There is someone that run this that can help me?? Very thanks, Israel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy PEAP+MSCHAPV2
Hi, Is the FreeRadius Server. Ron Wahler wrote: Is the FreeRadius Server a client of IAS ? Ron. http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Alves Sent: Sunday, January 30, 2005 11:44 AM To: freeradius-users@lists.freeradius.org Subject: Proxy PEAP+MSCHAPV2 Hi, I want to do proxy of users authentication [EMAIL PROTECTED], this is generated with domain login of Windows XP. I configured the freeradius server that receive the request for do proxy to a second server. When I try a connection with Windows XP, I receive the error bellow on the first server, then more bellow, I put the result of second freeradius server: rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y %m% d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "israel TESTE" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323534 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" Proxy-State = 0x323534 Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 Sending Access-Reject of id 254 to 172.22.2.32:1746 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.22.0.47:1814, id=0, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x0195a000df15f453a0effe23b403fb50 Proxy-State = 0x323534 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y %m% d expands to /usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_realm: No ' ' in User-Name = "israel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched israel at 18 modcall[authorize]: module "files" returns o
Re: proxy problem
e-Authenticator = 0x1f5c6cb62a3a7fba84c5275ab4fd1f86 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "israel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched israel at 18 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 Sending Access-Request of id 1 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x0202001c04105aaa04a104713a480168c2e8a600717669737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0xecf53721b73e9b5edbb4c1c5be1dc48f Message-Authenticator = 0x Proxy-State = 0x3237 Waking up in 6 seconds... rad_recv: Access-Accept packet from host 172.22.3.69:1812, id=1, length=145 Service-Type = Login-User Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" EAP-Message = 0x03020004 Message-Authenticator = 0x5cdf497509b31d38c99f9f3f06f4f9bf User-Name = "israel" Proxy-State = 0x3237 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 1 modcall[authorize]: module "eap" returns noop for request 1 users: Matched israel at 18 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [israel/] (from client extreme port 0 cli 0.0.0.0) Sending Access-Accept of id 27 to 172.22.2.32:1753 Service-Type = Login-User Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" EAP-Message = 0x03020004 Message-Authenticator = 0x User-Name = "israel" Finished request 1 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 23 with timestamp 41fa9c9a Cleaning up request 1 ID 27 with timestamp 41fa9c9a Nothing to do. Sleeping until we see a request. Thanks for help me. Dustin Doris wrote: Post your debug output (radiusd -X), with both a successful and unsuccessful login. On Fri, 28 Jan 2005, Israel Fabio Alves wrote: If I do a test, login without domain, only with username and password, the authentication occurs. We can see this information in the files "proxy1.txt" and "realmTESTE1.txt" If someone can help me. Very Thanks. Israel Fabio Alves wrote: The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug
Re: proxy problem
If I do a test, login without domain, only with username and password, the authentication occurs. We can see this information in the files "proxy1.txt" and "realmTESTE1.txt" If someone can help me. Very Thanks. Israel Fabio Alves wrote: The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = n
Re: proxy problem
The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirper
Re: proxy problem
I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy problem
Hi, I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. If I use the exemple bellow, I authenticate 100%. "israel" User-Password == "xteste", Proxy-To-Realm := TESTE Service-Type = Login, Debug of server that Switch request de authentication: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/radius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = y
Problem - proxy peap + mschapv2
Hi, i need help. I configured freeradius to authenticate users in Openldap using samba password, it's working 100%. Now a configured other freeradius server to route the information of users conform Windows Domain Name, then a configured proxy.conf for this. When I do a test, occurr ther error bellow: " rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP." rad_recv: Access-Request packet from host 172.22.2.32:1520, id=218, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x3bd8b99f86bf11e0fd40509088fac01a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 4 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: group authorize returns updated for request 4 Sending Access-Request of id 4 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323138 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=4, length=25 Proxy-State = 0x323138 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 4 modcall[post-proxy]: module "eap" returns noop for request 4 modcall: group post-proxy returns noop for request 4 Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1520, id=218, length=98 Sending Access-Reject of id 218 to 172.22.2.32:1520 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 218 with timestamp 41f12c0d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.22.0.47:1814, id=4, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0xf46be4650830b6c5e442cc2756cf7411 Proxy-State = 0x323138 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value E16089130E8B7BEE87E6FF312E5B8312 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value E42C92D3C5AE8D6AE68AA26A841A86FA & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" return
PEAP + OpenLDAP
Hi, I tried to configure Windows XP to autenthicate with 802.1x using PEAP + MSCHAPV2. The freeradius 1.0.1 was configured to search user information in OpenLdap. In the same computer where is installed freeradius, I have the OpenLdap + Samba server "version 2.2.12" that store users passwords in OpenLDAP. If a configure the autenticate to occur as "file" the autHentication is 100%, but when configured to OpenLdap, I always get the error bellow: PEAP: Got tunneled reply RADIUS code 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x817f5c8 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Debug file: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=admin,dc=testdomain,dc=com" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "xtopazio" ldap: basedn = "dc=testdomain,dc=com" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "radiusProfileDn" ldap: password_header = "{CRYPT}" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "radiusGroupName" ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/radius/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap:
Re: LDAP, PEAP, Active Directory issue
# Livingston-style 'users' file files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } } authorize { preprocess #chap #mschap #suffix # ntdomain eap #files # sql # etc_smbpasswd ldap # daily # checkval } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # digest # pam #unix
Re: LDAP, PEAP, Active Directory issue
Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: AJ Grinnell <[EMAIL PROTECTED]> wrote: Ok, I have peap working with the users file and with mysql, and I have radius working with ldap also. But I can not get a user to authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. but peap and ldap should work from what I have read. PEAP is a type of EAP. the debug that I am seeing is very long, so I have included the part where I am seeing an obvious error. The part where is says it doesn't have a password? rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html