Re: WPA2 802.1X PEAPv0/EAP-MSCHAPv2
Ryan A. Krenzischek wrote: Greetings! I am at a road block here. I know setting up WPA2 Enterprise PEAPv0/EAP-MSCHAPv2 / 802.1X should be simple. It just isn't working! Perhaps I am suffering from green screen syndrome :) I have followed directions from: http://tldp.org/HOWTO/html_single/8021X-HOWTO/ Ugh. That document is almost 6 years old. Aside from mschap being in the etcdir/raddb/modules directory and needing to enable mppe, the instructions are fairly straight forward. How about http://freeradius.org/doc/ ? Or the comments in the man page, and in raddb/eap.conf? After 10 years of doing this, I still don't understand why people ignore the documentation that ships with the server, and instead read random sites on the net. The certificates are generated from our certificate store. I'm trying a less complicated set up before moving on to OpenLDAP/Kerberos. During the build process, I made sure that OpenSSL was available. LDD shows that it is linked: ldd output is not useful. The FAQ and docs don't ask for it. The client computers are laptops running OpenSUSE 11.2 x86_64. Knetworkmanager is being used to configure the wireless security. the settings are: The FAQ and docs don't ask for that, either. The users file contains: billgates User-Password := 98502 This is a config for 1.x. See the FAQ for how to correctly set a password for a user. Look for bob. What I get on the test laptop in wpa_supplicant: Associated with 00:00:00:c0:ff:ee CTRL-EVENT-EAP-STARTED EAP Authentication started OpenSSL: tls_connection_ca_cert - Failed to parse ca_cert_blob error:0D0680A8:ASN1 encoding routines: ASN1_CHECK_TLEN:wrong tag openSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error TLS: Failed to set TLS connection parameters EAP-PEAP: Failed to initialize SSL. Well... the certificate seems to be malformed. Debug Output: *That* is exactly what we need. rad_recv: Access-Request packet from host 1.2.3.4 port 1812, id=157, length=101 ... EAP-Message = 0x027800060300 The supplicant is doing EAP. [eap] EAP NAK [eap] NAK asked for bad type 0 [eap] Failed in EAP select ++[eap] returns invalid That seems clear enough. The supplicant doesn't like the EAP type proposed by the server, and is asking for another method. But it's asking incorrectly. See my page for how to configure EAP. It includes step by step directions, and it *works*: http://deployingradius.com I suspect that the problem is with the certificates. DON'T start with certs that may or may not work with RADIUS. DO start with the test certs generated when the server first starts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: 2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Are you trying to use EAP-TTLS? Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi ,I am happing problem that I couldn't resolve alone. If anyone in the list could help me will be appreciated. I have access point EnGenius 2610 and I run freeradius under RHEL5.RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to Wifi Client with IP 192.168.0.1 (Client is Windows XP). Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP. when I run radiusd -X everytime seem fine. Ready to process requests.rad_recv: Access-Request packet from host 192.168.0.3 port 1024, id=4, length=194User-Name = GRACELIA-4E4DD9\\gracelia NAS-IP-Address = 192.168.0.3NAS-Port = 0Called-Station-Id = 00-02-6C-5B-0A-A3:mars_netCalling-Station-Id = 00-80-A8-C1-C0-A3 Framed-MTU = 1400NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11bEAP-Message = 0x020d001d0147524143454c49412d344534395c67726163656c6961 Message-Authenticator = 0x5ad14aa7bbf1f169e0d16b594a0888ea+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = GRACELIA-4E4DD9\gracelia, looking up realm NULL[suffix] No such realm NULL++[suffix] returns noop[eap] EAP packet type response id 13 length 29[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[unix] returns notfound[files] users: Matched entry GRACELIA-4E4DD9\gracelia at line 94[files] expand: Hello, %{User-Name} - Hello, GRACELIA-4E4DD9\gracelia++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] Found existing Auth-Type, not changing it.++[pap] returns noopFound Auth-Type = EAP+- entering group authenticate {...}[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] returns handledSending Access-Challenge of id 4 to 192.168.0.3 port 1024Reply-Message = Hello, GRACELIA-4E4DD9\\graceliaEAP-Message = 0x010e00061920 Message-Authenticator = 0xState = 0x1b2c209a1b2239d39cc5bd6f4ac49d46Finished request 18.Going to the next requestWaking up in 4.9 seconds.Cleaning up request 18 ID 4 with timestamp +307Ready to process requests. But it keep looping Access-Challege and Access-Request without Access-Reject or authenticated. I believe the certificate already have OID. When I check with Access Point Log..here the output Jan 1 00:17:35 (none) daemon.debug setup.cgi[465]: main: process ./html/CM_SystemStatus.htm takes 2300 msJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: aborting authenticationJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: unauthorizing portJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: received EAP packet (code=2 id=54 len=29) from STA: EAP Response-Identity (1)Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: STA identity 'GRACELIA-4E4DD9\gracelia'Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication serverJan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:c3 RADIUS: Resending RADIUS message (id=28)Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 1 secondsJan 1 00:17:45 (none) daemon.debug setup.cgi[491]: cgi_setup::main()--HTTP_REFERER=http://192.168.0.3/setup.cgi?reqfile=./html/left.htm if I try to bind to eth1 or IP-Address, the server not receipt any request. Here the client.conf setting # -*- text -*- clients.conf -- client configuration directives $Id$ # Define RADIUS clients (usually a NAS, Access Point, etc.). ## Defines a RADIUS client.## '127.0.0.1' is another name for 'localhost'. It is enabled by default,# to allow testing of the server after an initial installation. If you# are not going to be permitting RADIUS queries from localhost, we suggest# that you delete, or comment out, this entry.## ## Each client has a short name that is used to distinguish it from# other clients.## In version 1.x, the string after the word client was the IP# address of the client. In 2.0, the IP address is configured via# the ipaddr or ipv6addr fields. For compatibility, the 1.x# format is still accepted.#client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname(radius.example.com)ipaddr = 192.168.1.4 # OR, you can use an IPv6 address, but not both# at the same time.# ipv6addr = :: # any. ::1 == localhost # # A note on DNS: We STRONGLY recommend using IP addresses # rather than host names. Using host names
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Alan DeKok al...@deployingradius.com: Bruno Kremel wrote: Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for that links... I have read that FAQ and so I copyed over default eap.conf and tryed it with uses file.. it is working OK i can connect to AP with username/password, but when I tryed to use SQL (I have corret format in SQL now) again it ends up this with Accept-Reject: rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus2/via Auth-Type = EAP] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - pokus2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 23 ID 0 with timestamp +735 Ready to process requests. Bud radtest gives me: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54224, id=218, length=57 User-Name = test2 User-Password = pokus2 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = test2, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - test2 rlm_sql (sql): sql_set_user escaped user -- 'test2' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password pokus2 rlm_pap: Using clear text password pokus2 rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test2/pokus2] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 218 to 127.0.0.1 port 54224 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 218 with timestamp +263 Ready to process requests. So is it sql problem or something with eap? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Vendor Attributes
Hi everybody, I'm beginner with FreeRadius and I'd like to know where can I use a vendor specific attribute for my Redback router (in which configuration file). The dictionary is in /usr/share/freeradius/dictionary.redback and loaded when FreeRadius starts. When is try to use Context-Name = local (a specific redback attribute) in my user configuration file. I obtain a Syntax error message. You'll find an example of Access Request from the router : Packet number 1 has just been sniffed From:10.192.5.80:1812 To: 10.192.5.89:1812 Type:Access-Request User-Name = 00:0c:29:0e:79:dd User-Password = \002\251\374-f\211\204\232\232C\350\t%\362S\233 Service-Type = Dialout-Framed-User NAS-Identifier = SE800 NAS-Port = 235077632 NAS-Real-Port = 3808428132 NAS-Port-Type = Virtual NAS-Port-Id = Medium-Type = DSL Mac-Addr = 00-0c-29-0e-79-dd Platform-Type = SmartEdge-800 OS-Version = 6.2.1.2 Agent-Circuit-Id = 01 Vendor-Specific = 0x0de901144f4e542d31332d312d313a313530303a3031 Redback-Attr-202 = 0x3d3d0701000c290e79dd Redback-Attr-202 = 0x0c0c0466747468 Redback-Attr-125 = 0x4d53465420352e30 In one word, we'd like to know where include VSAs and how to use it. Many thanks for your help. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: I am posting full log with first is radtest accepted and others are failde login from wifi client with 2 different accounts... FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 2010 at 15:58:09 You should probably upgrade to 2.1.8. It has a lot of fixes features over 2.0.4. server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = 123, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 62 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop And no sql. Edit raddb/sites-available/inner-tunnel, and add sql to the authorize section. It's already there, so you likely just have to uncomment it. rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Yup. No known good password means no authentication. You could also try: http://networkradius.com/freeradius.html This lets you cut paste the debug output into a form. The response is a colorized HTML page indicating common errors, and things you should look into. It won't catch this problem, but it will highlight the fact that there was no known good password for the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP vs srcIP
Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. for example: IP prot: srcIP: 1.1.1.1 dstIP: 2.2.2.2 Radius prot: code: access-request (1) AVPs: NAS-IP-Address: 3.3.3.3 scrIP != NAS-IP-Address Thanks, Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP vs srcIP
Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? One of NAS is on the other side of a load balancer, source IP is not the same as NAS-IP. John This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
On 04/01/2010 05:39 PM, Marlon Duksa wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. for example: IP prot: srcIP: 1.1.1.1 dstIP: 2.2.2.2 Radius prot: code: access-request (1) AVPs: NAS-IP-Address: 3.3.3.3 scrIP != NAS-IP-Address Some NASes have 1 IP and you can select which source IP goes into the NAS-IP-Address; think for example a router with 2 connections to the network and a loopback interface used for management. The UDP source *may* be the loopback, or the IP of the outbound interface, depending on the NAS implementation. If the latter, source IP can obviously change as routing changes. I guess there are other reason, like NAT. Thanks, Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
Marlon Duksa wrote: Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? Many. There is *no* requirement in RADIUS that they be identical. When a packet is proxied, the NAS-IP-Address stays the same, but the source IP changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
--On 01 April 2010 09:39 -0700 Marlon Duksa mdu...@gmail.com wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. Radius proxying! An incoming radius packet may come via a proxy. Therefore that packet's src.ip = the proxies IP. The NAS-IP-Address attribute is set to whatever the NAS wants to send. Whether you can address a COA to the NAS-IP-Address depends on whether: * The NAS chose/was configured to send the IP it's COA listener is bound to in the NAS-IP-Address attribute. * Whether you can access that IP/port directly - If your NAS is configured only to talk via a RADIUS proxy, and everything else is firewalled out, direct replies (COA or otherwise) won't work. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kerberos (krb5) Module Overrides Other Authentication Types . . .
I've had the rlm_krb5 module running for a while now, with the line in the users file : - DEFAULT Auth-Type = Kerberos - I found that was the only way to get the rlm_krb5 module to actually fire, otherwise the krb5 module would never try to authenticate anyone. I'm now trying to add authentication from an SQL database. So, I have an appropriate tested setup for SQL, and the following in the radreply table : mysql select * from radreply; ++--+--+++ | id | username | attribute| op | value | ++--+--+++ | 1 | mowglidb | Service-Type | := | Login-User | | 2 | mowglidb | Fall-Through | = | No | | 3 | mowglidb | Auth-Type| := | Accept | | 4 | mowglidb | Hint | := | SQL| ++--+--+++ 4 rows in set (0.00 sec) I've verified that both authentication types work properly, but what happens is that the Kerberos result is the only one ever used, despite the fact that the SQL result appears valid. So when you lookup an ID in the SQL table which is valid, the Kerberos lookup executes, doesn't find the ID, and sends a REJECT. Here's partial radiusd -X output showing the results of a query . . . - Ready to process requests. rad_recv: Access-Request packet from host 128.146.XXX.XXX port 1166, id=12, length=48 User-Name = mowglidb User-Password = 1234abcd +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/128.146.XXX.XXX/auth-detail-20100401 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/128.146.XXX.XXX/auth-detail-20100401 [auth_log] expand: %t - Thu Apr 1 00:38:53 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [IPASS] No '/' in User-Name = mowglidb, looking up realm NULL [IPASS] No such realm NULL ++[IPASS] returns noop [suffix] No '@' in User-Name = mowglidb, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 210 ++[files] returns ok [sql] expand: %{User-Name} - mowglidb [sql] sql_set_user escaped user -- 'mowglidb' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FRO M radcheck WHERE username = 'mowglidb' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mowglidb' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FRO M radreply WHERE username = 'mowglidb' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mowglidb' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'mowglidb' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'mowglidb' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Kerberos +- entering group Kerberos {...} rlm_krb5: [mowglidb] krb5_g_i_t_w_p failed: Client not found in Kerberos database ++[krb5] returns reject Failed to authenticate the user. Login incorrect: [mowglidb] (from client test port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - mowglidb attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 12 to 128.146.XXX.XXX port 1166 Finished request 1. Going to the next request - I've tried varying what is in the users file, but so far my only results are either the SQL result is squashed by the Kerberos result, or the Kerberos section never attempts a lookup. In reading the attributes description, it implies that if I put the Auth-Type = Kerberos in the check section for the DEFAULT entry, it should only add this if there is no Auth-Type, but I'm not clear on when the items from the radreply table are added to the reply. Explicitly setting the Auth-Type
Re: NAS-IP vs srcIP
Plenty of reasons - but one you won't have control over even in CoA is that it could be proxied. The NAS-IPAddress is used in the CoA request packet to tell the NAS which client should receive the packet. Marlon Duksa wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. for example: IP prot: srcIP: 1.1.1.1 dstIP: 2.2.2.2 Radius prot: code: access-request (1) AVPs: NAS-IP-Address: 3.3.3.3 scrIP != NAS-IP-Address Thanks, Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html