RE: Failed to authenticate the user
Hi George, Have you ever heard of Google? It's amazing the stuff you can find on there, and people won't get annoyed with you for asking the list to do your job for you - which comes across as a bit lazy... HUP is straightforward, read http://www.freebsddiary.org/hup.php Everyone has to start somewhere but I'd suggest this list might not be the best place to ask basic Linux questions. There are some other really good places which I find very useful when I started out with this stuff http://www.linuxquestions.org/ is a good one. Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of George Innocent Sent: 07 August 2012 14:24 To: FreeRadius users mailing list Subject: Re: Failed to authenticate the user And how do i send this signal of change On Tue, Aug 7, 2012 at 4:03 PM, Alan DeKok al...@deployingradius.com wrote: George Innocent wrote: How long does the Radius changes take to synchronize with the NAS; what commands should i use to make effect changes made on the files. You need to take a Unix 101 course. You clearly have no idea what you're doing. If you're editing the users file, then you will need to send the server a HUP signal. So far the NAS authenticates successfully with 5-10 attempts before changes made get to synchronize with the NAS. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards: George Innocent. Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
I think http://wiki.freeradius.org/Rlm_ldap Has what you are after. Mark On 18 Apr 2012, at 18:53, Wassim Zaarour wassim.zaar...@navlink.commailto:wassim.zaar...@navlink.com wrote: Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
Your problem is going to be distributing the server cert to the clients NOT distributing client Maybe I've missed something here, but why will he need to distribute a cert to clients? If the certificate you use on your RADIUS server is signed by a known CA-in which case the client should already have the relevant root certificate and so will trust the certificate presented by the server. This is assuming he is using certificates for confirming identity of the server, not for EAP-TLS etc. Cheers, Mark On 6 Jan 2012, at 21:43, Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: It may be a misunderstanding on my part but I believe any encrypted protocol would need a cert of some sort. PEAP is an encrypted tunnel thus you will need a cert. FR will generate its own certs for testing but for production you should generate your own. We are making the move to 802.1x in the next few months and will be using a self-signed cert on the FR server and deploying it to the users' machines via a third party tool from a company called cloud path. Suffice it to say that windows Vista and beyond MUST have the server cert installed or be configured to ignore server certs before you can use any encrypted protocol (such as, PEAP). It WILL NOT work out-of-the-box! XP would show you a dialogue box with a warning but that functionality is gone in Vista and 7. MAC OS and Linux will still allow you to download the cert and install it on first use, windows will not. Your problem is going to be distributing the server cert to the clients NOT distributing client certs (unless you are using EAP/TLS or the like), as mentioned before AD makes this easy via GPO / login scripts. However if you clients are not part of your domain then you have very few choices. 1) Roll your own program to install the cert for them 2) Buy a solution to install the cert (like cloud path) 3) issue instructions to the clients and have them install the certs manually 4) go around and install all the certs your self There a pros and cons for each. BTW for security reasons you should use a self-signed cert, that being the case you can make the cert valid for 99 years, then revoke it when you have time to redistribute them ; ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 3:07 PM To: FreeRadius users mailing list Subject: RE: Distributing Certificates I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every
RE: Dial up error and freeraius is down
Hi, - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. You don't say what bandwith etc you are on or what spec the server is, but unless it's pretty low end I'd be surprised if that was the issue if you only have 500 users. Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Robin Sent: 01 April 2011 15:52 To: freeradius-users@lists.freeradius.org Subject: Dial up error and freeraius is down Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging to Microsoft SQL
I'm looking at having freeradius log accounting information to an MS-SQL database on our centralised logging box. Googling returns a lot of pages on this. I had a look in at them but many relate to freeradius 1. Before I go making a lot of work for myself needlessly - could anyone outline what I need to be doing, or point me in the direction of up to date instructions? Many thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MSCHAPv2 error..
Thanks, Alan - got it fixed now. On 8 Feb 2011, at 21:15, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Entered bob as username, testing123 as password I get No such realm 'NULL' So added - realm test { authhost = LOCAL accthost = LOCAL } realm LOCAL { } realm NULL { } Now I get rejected - the following from the debug output looks relevant what is your 'users' entry file like for bob? [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bob@test with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect have you edited the modules/mschap file? mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --chal lenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } do you fire off preprocess suffix ntdomain in that order, in the authorize section of inner-tunnel? I'm doing something silly, no doubt - but what? Should this config just work out of the box? it should doI'm sure I've recently (sept last year) got a fresh 2.1.x server and slapped SoH patches on and it just worked with Win7 client alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP MSCHAPv2 error..
Tested with PAP and radtest, as per http://deployingradius.com/documents/configuration/pap.html All works OK Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2). The page seems to indicate this should pretty much work with default config. So:- I added wireless AP to clients.conf --- client 163.1.40.141 { secret = testing } Disabled 'Validate server certificate' on the client Entered bob as username, testing123 as password I get No such realm 'NULL' So added - realm test { authhost = LOCAL accthost = LOCAL } To proxy.conf - not sure this is the correct way of resolving a null realm, though. And this time entered bob@test as the username, testing123 as password Now I get rejected - the following from the debug output looks relevant [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bob@test with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE I posted the full debug output at http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting all 900+ lines to this list would be appreciated - or is that OK in future? The MSCHAP errors are line 901 onwards. I'm doing something silly, no doubt - but what? Should this config just work out of the box? Appreciate any help. Cheers Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: PEAP MSCHAPv2 error..
Ah - do I need to be authenticating against something like AD that does MS-CHAP? I have AD here and that is the eventual goal, but trying to change as little as possible and keep it simple to begin with... Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Mark Holmes Sent: 08 February 2011 12:45 To: FreeRadius users mailing list Subject: PEAP MSCHAPv2 error.. Tested with PAP and radtest, as per http://deployingradius.com/documents/configuration/pap.html All works OK Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2). The page seems to indicate this should pretty much work with default config. So:- I added wireless AP to clients.conf --- client 163.1.40.141 { secret = testing } Disabled 'Validate server certificate' on the client Entered bob as username, testing123 as password I get No such realm 'NULL' So added - realm test { authhost = LOCAL accthost = LOCAL } To proxy.conf - not sure this is the correct way of resolving a null realm, though. And this time entered bob@test as the username, testing123 as password Now I get rejected - the following from the debug output looks relevant [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bob@test with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE I posted the full debug output at http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting all 900+ lines to this list would be appreciated - or is that OK in future? The MSCHAP errors are line 901 onwards. I'm doing something silly, no doubt - but what? Should this config just work out of the box? Appreciate any help. Cheers Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FAQ and Wiki down?
Works for me also -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Marinko Tarlac Sent: 29 October 2010 15:40 To: dcjea...@gmail.com; FreeRadius users mailing list Subject: Re: FAQ and Wiki down? Works fine for me... On 10/29/2010 4:33 PM, David Jea wrote: Hi, For past two days, I can't reach to these 2 tabs: FAQ and Wiki. All the others are good. http://wiki.freeradius.org/index.php/FAQ http://wiki.freeradius.org/ I thought it was my issue, but my internet is good, no proxy, tried with IE and Firefox, it does seem to me that wiki site is down. Thought should report. Thanks, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Removing domain name in freeradius
Thanks Phil. Final question: At the moment, I can authenticate with username, but not with usern...@mydomain.ox.ac.uk How do I tell freeradius to accept usern...@mydomain.ox.ac.uk (I don't mind if authenticating with just username without the domain fails) Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
OK, Just to recap, I'm working on setting Freeradius up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth. Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29 Needless to say it's failing. I set the mydomain.ox.ac.uk realm in proxy.conf as someone on here suggested on Friday, and that has cleared up the warning about unknown realms. When connecting, I still get several errors before auth fails. I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? Cheers, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
Alan, Thanks for your reply. how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here I'm testing with a real client and access point. OK - I wasn't sure posting the whole debug would be appreciated, but I have posted it at http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt you should see the incantation of the ntlm_auth line - if not, then it's not being called I can only see two references to ntlm_auth, this:- Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} input_pairs = request shell_escape = yes } And another line indicating the ntlm_auth config file is being included:- including configuration file /etc/raddb/modules/ntlm_auth Should I also see ntlm_auth being called during the authentication - presumably I should... Thanks, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 10:41 To: FreeRadius users mailing list Subject: Re: Problem with MSCHAP Hi, I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject ignore those - the word 'reject' is being flagged without context. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) okay. I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect and that will mean that MSCHAPv2 wont be working I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here - you should see the incantation of the ntlm_auth line - if not, then its not being called...and it would be with the default configuration files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
Ah - I think I see the issue - the ntlm auth line in modules/mschap is after the } so presumably not being read... -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Mark Holmes Sent: 12 October 2010 11:25 To: FreeRadius users mailing list Subject: RE: Problem with MSCHAP Alan, Thanks for your reply. how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here I'm testing with a real client and access point. OK - I wasn't sure posting the whole debug would be appreciated, but I have posted it at http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt you should see the incantation of the ntlm_auth line - if not, then it's not being called I can only see two references to ntlm_auth, this:- Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} input_pairs = request shell_escape = yes } And another line indicating the ntlm_auth config file is being included:- including configuration file /etc/raddb/modules/ntlm_auth Should I also see ntlm_auth being called during the authentication - presumably I should... Thanks, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 10:41 To: FreeRadius users mailing list Subject: Re: Problem with MSCHAP Hi, I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject ignore those - the word 'reject' is being flagged without context. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) okay. I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect and that will mean that MSCHAPv2 wont be working I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here - you should see the incantation of the ntlm_auth line - if not, then its not being called...and it would be with the default configuration files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in the debug output why it fails. I'm trying to authenticate against AD, using PEAP-MSCHAPv2 I have checked ntlm_auth is working by ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser --password=password and I get (NT_STATUS_OK) my /modules/ntlm_auth looks like this:- exec ntlm_auth { wait = yes program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} } and modules/mschap looks like this ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response$ } In the debug output I can see this - should authentication realm = LOCAL as below? [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = testu...@mydomain.ox.ac.uk [suffix] Found realm mydomain.ox.ac.uk [suffix] Adding Stripped-User-Name = testuser [suffix] Adding Realm = mydomain.ox.ac.uk [suffix] Authentication realm is LOCAL. When I paste the debug into the checker it highlights this:- [pap] WARNING! No known good password found for the user. Authentication may fail because of this. But not sure I need to worry about that as I'm not doing PAP Can't see anything else in there indicating a problem, but when I try to connect a device (my iPhone) it just returns a 'cannot connect to' message What am I missing? No doubt something obvious Debug output FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary
RE: MS-CHAP failing?
Stephen, Thanks for this. Actually I messed up - my ntlm_auth looks like this (which I think is correct) exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} } The /path/to/ntlm_auth line is commented out in my config. Cheers Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: 12 October 2010 15:03 To: FreeRadius users mailing list Subject: RE: MS-CHAP failing? Just checking but you did see the problem I the following line of config right? exec ntlm_auth { wait = yes program = ***/PATH/TO/NTLM_AUTH *** --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} } I understand if you left it out on purpose but this code WILL NOT work in production ; ) Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Mark Holmes Sent: Tuesday, October 12, 2010 8:47 AM To: FreeRadius users mailing list Subject: MS-CHAP failing? OK, getting somewhere, but still won't let me connect. I can't see in the debug output why it fails. I'm trying to authenticate against AD, using PEAP-MSCHAPv2 I have checked ntlm_auth is working by ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser --password=password and I get (NT_STATUS_OK) my /modules/ntlm_auth looks like this:- exec ntlm_auth { wait = yes program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} } and modules/mschap looks like this ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response$ } In the debug output I can see this - should authentication realm = LOCAL as below? [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = testu...@mydomain.ox.ac.uk [suffix] Found realm mydomain.ox.ac.uk [suffix] Adding Stripped-User-Name = testuser [suffix] Adding Realm = mydomain.ox.ac.uk [suffix] Authentication realm is LOCAL. When I paste the debug into the checker it highlights this:- [pap] WARNING! No known good password found for the user. Authentication may fail because of this. But not sure I need to worry about that as I'm not doing PAP Can't see anything else in there indicating a problem, but when I try to connect a device (my iPhone) it just returns a 'cannot connect to' message What am I missing? No doubt something obvious Debug output FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb
RE: MS-CHAP failing?
Alan, Well spotted! - yes there was a bit missing from the end of that line in mschap - response=%(mschap:NT-Response:-00} Twas indeed a cut-and-paste error. Thanks very much - it now works! Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 15:04 To: FreeRadius users mailing list Subject: Re: MS-CHAP failing? Hi, my /modules/ntlm_auth looks like this:- exec ntlm_auth { wait = yes program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} } I'd hope it doesnt look like that- fix the /path/to bit to give it the proper details. and modules/mschap looks like this ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response$ } and that entry looks a little broken too - ending in $ - a cut and paste issue? Sending Access-Challenge of id 5 to 192.168.30.1 port 1162 EAP-Message = 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4 Message-Authenticator = 0x State = 0xbc7efc4cb978e53c4bf33c60bc849290 Finished request 11. and waiting and challenging what client are you using? this looks like a windows client that doesnt have the RADIUS CA installed on it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing domain name in freeradius
Hi all, Currently when users connect to our WLAN they enter their username thus:- firstname.lastn...@mydomain.ox.ac.uk Is there a way I can strip everything after the @ out (ie the domain) - so they are forced to authenticate against the domain I specify. At the moment in my test environment, as long as I DONT specify the domain it works - so I'm looking to strip out the domain name if they DO specify it. Cheers, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with MSCHAP
This is my first post to this list, so first of all, hi! I'm new to freeradius, I'm working on setting it up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth. Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29 I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type = ntlm_auth in users and then do radtest user password localhost 0 testing123 and I see the server returns Access-Accept. I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and editing modules/mschap as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} and set up a wireless access point up to, add it to clients and have it point at the radius server Now when I try to connect I get Access-Reject - I've tried a couple of devices - an iPhone and a Win XP machine. Output from radius -X at the bottom of this message. The bit that looks relevant to me is ++[mschap] returns noop Which I guess indicates a problem with mschap somewhere Also [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = firstname.lastn...@mydomain.ox.ac.uk [suffix] No such realm mydomain.ox.ac.uk However I'm not sure I need to worry about that bit - at the moment this is just a single, stand alone RADIUS server so I'm not sure I need to worry about realms or do I? Not sure where to go from here - are there some basic things I should check? I haven't included my conf files in this post but happy to do so if required. Any advice/hints much appreciated as to how I should look to troubleshoot this. Thanks, Mark Output from -X Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 1286, id=39, length=267 Message-Authenticator = 0x2e5d3be1821aead988b3d37cba9afd08 Service-Type = Framed-User User-Name = firstname.lastn...@mydomain.ox.ac.uk Framed-MTU = 1488 State = 0x0f85e60107a2ffd7a9724559c0c7d131 Called-Station-Id = 00-24-73-54-22-C2:Test-WLAN Calling-Station-Id = 78-E4-00-B2-E2-D5 NAS-Identifier = Wireless AP - I6 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x0227002b1900170301002067b2b3a9663cb4262b845b709b8619eb1d6ae803961cb66e52227722f3d8e496 NAS-IP-Address = 192.168.1.10 NAS-Port = 4 NAS-Port-Id = STA port # 4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = firstname.lastn...@mydomain.ox.ac.uk [suffix] No such realm mydomain.ox.ac.uk ++[suffix] returns noop [eap] EAP packet type response id 39 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - firstname.lastn...@mydomain.ox.ac.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 99 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 99 Sending Access-Reject of id 39 to 192.168.1.10 port 1286 EAP-Message = 0x04270004 Message-Authenticator = 0x Waking up in 3.7 seconds. Cleaning up request 90 ID 30 with timestamp +1733 Cleaning up request 91 ID 31 with timestamp +1733 Cleaning up request 92 ID 32 with timestamp +1733 Cleaning up request 93 ID 33 with timestamp +1733 Cleaning up request 94 ID 34 with timestamp +1733 Cleaning up request 95 ID 35 with timestamp +1733 Cleaning up request 96 ID 36 with timestamp +1733 Cleaning up request 97 ID 37 with timestamp +1733 Cleaning up request 98 ID 38 with timestamp +1733 Waking up in 0.9 seconds. Cleaning up request 99 ID 39 with timestamp +1733 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
All, Many thanks for the replies. Firstly, don't set Auth-Type. It's almost always the wrong thing to do. Sure - I set that just to test the AD auth was working, and removed it again prior to configuring mschap. EAP is a multi-pass protocol; there will be 4-8 requests, and the actual MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS tunnel is established, but before the failure is sent. Ah - doh!. I wasn't sure about posting the whole lot to this list as it runs to quite a few lines so posted it here http://www.nuffield.ox.ac.uk/scratch/logfile.txt Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) Good point. Our existing setup uses IAS, and is configured to expect the domain to be appended. I want to switch to FreeRADIUS without too many changed being required client side - possibly even none if I moved the cert from the IAS box to the FreeRADIUS machine. Cheers, Mark On 8 Oct 2010, at 14:59, Alan Buxey a.l.m.bu...@lboro.ac.ukmailto:a.l.m.bu...@lboro.ac.uk wrote: do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html