User attributed missing from access accept message
I have a bit of a puzzle:
I have a FreeRADIUS server that takes a TTLS request, handles the TLS outer
authentication locally, and then proxies the MSCHAPv2 inner authentication to
another server based on the realm specified in the user request.
When it receives the MSCHAPv2 access-accept message from one server (another
FreeRADIUS server), it includes the user attributes in the access-accept
message to the client as expected. However, when it receives the MSCHAPv2
access-accept message from the second server (an NPS server) it does not
include the user attributes in the access-accept message to the client,
resulting in a connection failure.
In the below logs, the same client is attempting to connect in both instances,
with the same username. The outer TLS authentication (request, log, and
result) is identical. The only differences for the inner MSCHAPv2 method are
the username and the realm, and of course the server that the request is
proxied to. Because of this, my best guess is that the differences in the
server messages are triggering the different behavior. Since I don't have
control over the NPS server to examine its configuration, I'm hoping there may
be something I can do on the proxy server to correct the problem.
Logs are below, with usernames etc. scrubbed, of course. Input or suggestions
would be much appreciated.
Thanks,
Diana
#
##
FAILED LOG: SERVER DOES NOT INCLUDE USER ATTRIBUTES IN ACCESS-ACCEPT.
##***
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20100619'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%
Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-2010061
9
modcall[authorize]: module "auth_log" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 7
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 7
modcall[authorize]: module "digest" returns noop for request 7
rlm_realm: Looking up realm "inner-realm.com" for User-Name =
"rlm\inner-user-ident...@inner-realm.com"
rlm_realm: Found realm "inner-realm.com"
rlm_realm: Adding Stripped-User-Name = "rlm\inner-user-identity"
rlm_realm: Proxying request from user rlm\inner-user-identity to realm
inner-realm.com
rlm_realm: Adding Realm = "inner-realm.com"
rlm_realm: Preparing to proxy authentication request to realm
"inner-realm.com"
modcall[authorize]: module "realmsuffix" returns updated for request 7
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "realmslash" returns noop for request 7
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "realmbackslash" returns noop for request 7
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "realmpercent" returns noop for request 7
rlm_fastusers: checking defaults
fastusers: Matched DEFAULT at 56
modcall[authorize]: module "fastusers" returns updated for request 7
modcall: leaving group authorize (returns updated) for request 7
TTLS: Tunneled authentication will be proxied to inner-realm.com
Tunneled session will be proxied. Not doing EAP.
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Request of id 0 to 143.185.231.134 port 1812
User-Name = "rlm\\inner-user-identity"
MS-CHAP-Challenge = 0xde2f71c04581580092f1e6a607518c80
MS-CHAP2-Response = 0xb00051ef59af51b36ded5808d861b07c722b00
00ff24005614e7135900d88db3c736c7c5abbccc1d6537d45c
NAS-IP-Address = 127.0.0.1
Proxy-State = 0x323437
Waking up in 3 seconds...
rad_recv: Access-Accept packet from host 143.185.231.134:1812, id=0, length=71
Proxy-State = 0x323437
Class = 0x844e06750137000102008fb9e78601cb08
6c7fcf9744001b
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
TTLS: Passing reply from proxy back into the tunnel.
Processing the post-auth section of radiusd.conf
modcall: e
Re: 802.1x ->Radius ->Ldap
So I gave in and connected radius to my active directory (which we wish we
could get rid of).
I'm getting the following error now
Any thoughts on correcting this winbind error?
[mschapv2] +- entering group MS-CHAP {...}
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for VIDEOEGG\kplimack with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap] expand: %{User-Name:-None} -> VIDEOEGG\kplimack
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=VIDEOEGG\kplimack
[mschap] expand: %{mschap:NT-Domain} -> VIDEOEGG
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-VIDEOEGG} ->
--domain=VIDEOEGG
[mschap] mschap2: a0
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=f83a0b16419a7f71
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=fa180186e7d362c5ee57c6c776619d4d72173918ebc17b93
Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
On 6/18/10 1:54 PM, "Arran Cudbard-Bell" wrote:
That has to go in the wiki somewhere. That's possibly the best explanation of
how FreeRADIUS processes requests I've ever heard... :)
-Arran
On Jun 18, 2010, at 1:50 PM, John Dennis wrote:
> On 06/18/2010 04:03 PM, Kyle Plimack wrote:
>> So how do I get pap to do it?
>
> If you're asking how to you get pap to do mschap then that's a nonsensical
> question.
>
> Here is how things work:
>
> The client sends you a radius auth request, you don't get to decide what's in
> it, the client does.
>
> The radius server looks the request and says
>
> "hmmm... lets see what do we have here? What can I do with this?"
>
> The answer to that is what auth types you have enabled, what the server can
> lookup, and what's in the request.
>
> The server will do something like this:
>
> "Yo unix module, can you handle this one?"
>
> "Hey pap module, can you handle this one?"
>
> "Yo mschap module, can you handle this one?"
>
> At some point hopefully one of the modules will say:
>
> "No problem I got it"
>
> The decision as to whether a module can handle the request is made by the
> module by looking at the data available to it.
>
> So lets say the client sends a request with a password and you've got pap
> enabled. The pap module looks at the request and says
>
> "hmmm ... do I have a password for this user"
>
> if so then compare my copy of the password to what's in the request.
>
> How does radius find a user's password? By consulting it's backend data store
> which can be the users file, a SQL database, or ldap.
>
> So before the pap module runs ldap will run. ldap says
>
> "hmm... Can I find passwords for this user?" If so I'll add them to the
> request as a check item so my dear friend the pap module can use them, you
> know that pap guy, he's always looking for passwords.
>
> But WAIT! What if the client sends a MSCHAP request? What does the radius
> server say then?
>
> "Well that's a fine kettle of fish! That client has really really tied my
> hands on this one" The only thing the server can do is run the mschap logic.
>
> The mshap module looks the request to see if there is a check item with
> either a clear text password or nt-hash (why? look at the protocol table). If
> those haven't been added by one of the datastores the mschap module says:
>
> "Sorry boss, no can do"
>
> But now the server has run out of options, it's only choice was mschap
> because that's what the client sent it and the mscap module can't handle it.
> So the server replies:
>
> "Loser! You ain't getting in here with those credentials" (Well really
> Auth-Reject)
>
>
>
> --
> John Dennis
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
That has to go in the wiki somewhere. That's possibly the best explanation of how FreeRADIUS processes requests I've ever heard... :) -Arran On Jun 18, 2010, at 1:50 PM, John Dennis wrote: > On 06/18/2010 04:03 PM, Kyle Plimack wrote: >> So how do I get pap to do it? > > If you're asking how to you get pap to do mschap then that's a nonsensical > question. > > Here is how things work: > > The client sends you a radius auth request, you don't get to decide what's in > it, the client does. > > The radius server looks the request and says > > "hmmm... lets see what do we have here? What can I do with this?" > > The answer to that is what auth types you have enabled, what the server can > lookup, and what's in the request. > > The server will do something like this: > > "Yo unix module, can you handle this one?" > > "Hey pap module, can you handle this one?" > > "Yo mschap module, can you handle this one?" > > At some point hopefully one of the modules will say: > > "No problem I got it" > > The decision as to whether a module can handle the request is made by the > module by looking at the data available to it. > > So lets say the client sends a request with a password and you've got pap > enabled. The pap module looks at the request and says > > "hmmm ... do I have a password for this user" > > if so then compare my copy of the password to what's in the request. > > How does radius find a user's password? By consulting it's backend data store > which can be the users file, a SQL database, or ldap. > > So before the pap module runs ldap will run. ldap says > > "hmm... Can I find passwords for this user?" If so I'll add them to the > request as a check item so my dear friend the pap module can use them, you > know that pap guy, he's always looking for passwords. > > But WAIT! What if the client sends a MSCHAP request? What does the radius > server say then? > > "Well that's a fine kettle of fish! That client has really really tied my > hands on this one" The only thing the server can do is run the mschap logic. > > The mshap module looks the request to see if there is a check item with > either a clear text password or nt-hash (why? look at the protocol table). If > those haven't been added by one of the datastores the mschap module says: > > "Sorry boss, no can do" > > But now the server has run out of options, it's only choice was mschap > because that's what the client sent it and the mscap module can't handle it. > So the server replies: > > "Loser! You ain't getting in here with those credentials" (Well really > Auth-Reject) > > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
On 06/18/2010 04:03 PM, Kyle Plimack wrote: So how do I get pap to do it? If you're asking how to you get pap to do mschap then that's a nonsensical question. Here is how things work: The client sends you a radius auth request, you don't get to decide what's in it, the client does. The radius server looks the request and says "hmmm... lets see what do we have here? What can I do with this?" The answer to that is what auth types you have enabled, what the server can lookup, and what's in the request. The server will do something like this: "Yo unix module, can you handle this one?" "Hey pap module, can you handle this one?" "Yo mschap module, can you handle this one?" At some point hopefully one of the modules will say: "No problem I got it" The decision as to whether a module can handle the request is made by the module by looking at the data available to it. So lets say the client sends a request with a password and you've got pap enabled. The pap module looks at the request and says "hmmm ... do I have a password for this user" if so then compare my copy of the password to what's in the request. How does radius find a user's password? By consulting it's backend data store which can be the users file, a SQL database, or ldap. So before the pap module runs ldap will run. ldap says "hmm... Can I find passwords for this user?" If so I'll add them to the request as a check item so my dear friend the pap module can use them, you know that pap guy, he's always looking for passwords. But WAIT! What if the client sends a MSCHAP request? What does the radius server say then? "Well that's a fine kettle of fish! That client has really really tied my hands on this one" The only thing the server can do is run the mschap logic. The mshap module looks the request to see if there is a check item with either a clear text password or nt-hash (why? look at the protocol table). If those haven't been added by one of the datastores the mschap module says: "Sorry boss, no can do" But now the server has run out of options, it's only choice was mschap because that's what the client sent it and the mscap module can't handle it. So the server replies: "Loser! You ain't getting in here with those credentials" (Well really Auth-Reject) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
Kyle Plimack wrote: > So how do I get pap to do it? To do what? If you're asking why PAP works, go read the table. It's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
On 06/18/2010 02:11 PM, Kyle Plimack wrote:
Doing an ldapsearch put me on the right track, I had created a user
‘radiusd’, but that user did not have the rights to request the
userPassword.
The error I am getting now is:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for kplimack with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
I added an entry to ldap.attrmap, “checkItem Cleartext-Password
userPassword”
The Password is not cleartext, but I read somewhere that radius is
supposed to figure that out automatically from a header. This is what is
returned:
rlm_ldap: userPassword -> Cleartext-Password ==
"{SSHA}xQjX16XbCUSXpiR2y"
That's not a clear text password is it?
You can't do MSCHAP with SHA1.
Please look at:
http://deployingradius.com/documents/protocols/compatibility.html
Which password type is compatible with *all* authentication mechanisms?
Which will work with SHA1?
If you have multiple password attributes in ldap per user, for instance
different hashes and hopefully a cleartext then set the userPassword
attribute in ldap.attrmap to User-Password and enable auto_header in the
ldap module config. The ldap will read *every* password attribute
defined for the user and map them passed on the {} prefix. In the above
case your prefix was {SSHA} do rlm_ldap will map that to PW_SSHA_PASSWORD.
But you already know from reading the protocol table it won't work with
MSCHAP, right?
Which type of password works with everything? Look at the table.
What works with MSCHAP? Look at the table.
Now, go back and add the necessary password attributes to your ldap.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
So how do I get pap to do it?
On 6/18/10 12:50 PM, "Alan DeKok" wrote:
Kyle Plimack wrote:
> I added an entry to ldap.attrmap, "checkItem Cleartext-Password
> userPassword"
> The Password is not cleartext, but I read somewhere that radius is
> supposed to figure that out automatically from a header. This is what
> is returned:
>
> rlm_ldap: userPassword -> Cleartext-Password ==
> "{SSHA}xQjX16XbCUSXpiR2y"
It is impossible to do MS-CHAP with SSHA passwords.
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
Kyle Plimack wrote:
> I added an entry to ldap.attrmap, “checkItem Cleartext-Password
> userPassword”
> The Password is not cleartext, but I read somewhere that radius is
> supposed to figure that out automatically from a header. This is what
> is returned:
>
> rlm_ldap: userPassword -> Cleartext-Password ==
> "{SSHA}xQjX16XbCUSXpiR2y"
It is impossible to do MS-CHAP with SSHA passwords.
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
Doing an ldapsearch put me on the right track, I had created a user 'radiusd',
but that user did not have the rights to request the userPassword.
The error I am getting now is:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for kplimack with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
I added an entry to ldap.attrmap, "checkItem Cleartext-Password userPassword"
The Password is not cleartext, but I read somewhere that radius is supposed to
figure that out automatically from a header. This is what is returned:
rlm_ldap: userPassword -> Cleartext-Password ==
"{SSHA}xQjX16XbCUSXpiR2y"
Full Log:
http://pastebin.com/ZJuPsyrb
On 6/18/10 7:14 AM, "John Dennis" wrote:
On 06/18/2010 02:01 AM, Alan DeKok wrote:
> Kyle Plimack wrote:
>> I have pap working (i.e. I ran radtest and got an access-accept).
>> I don't want to configure certs on each of my hosts for each of my
>> clients, so I'd like to use PEAP/msChapV2 so that dot1x clients are
>> prompted for and username/password.
>>
>> According the the deployingradius.com guide, once pap is working,
>> mschapv2 should "just work". It doesn't.
>
>Your debug output shows you are using PEAP. That is *not* MSCHAPv2.
>
>> I've put the log on pastebin where it is formatted in a more friendly way
>> http://pastebin.com/9tSjQW1f
>
>You have added "ldap" to the "inner-tunnel" section. That's good.
> You haven't read the WARNING in the debug output, as pointed out by
> John. That's bad.
>
>The server NEEDS a "known good" password in order to authenticate the
> user. The LDAP server didn't supply one. Ensure that that LDAP server
> returns a password. It *will* work.
Do an ldapsearch on the command line for the user to see what is getting
returned to radius. Look for the password attributes, are they there? Is
there a cleartext password rather than just hashes? Does the cleartext
password attribute in ldap match the password attribute in your radius
ldap config (by default it's userPassword). Does your
/etc/raddb/ldap.attrmap file have this line?
checkItem Cleartext-Password userPassword
Don't forget to put an ACL on the password attributes in ldap, you don't
want others to be able to read them! If you don't want to store
cleartext passwords you'll need to restrict the protocols you support.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of logging behaviour in 2.1.9
Jakob Hirsch wrote: > I just wonder why there is such a change in a patch level update. And > what the above mentioned bug was about... The bug was that it *wasn't* re-opening the log file on HUP. Since this is expected behavior, it needed to be fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of logging behaviour in 2.1.9
Bjørn Mork, 2010-06-17 18:28: >>> * re-open log file after HUP. Closes bug #63. > FWIW we have been HUPing the server from a daily, unattended process > with FR 2.1.8 since it was released (we need it to rotate log files Ok. That's what we are doing now, too. After all, other daemons (apache, rsyslogd etc.) are doing the same all the time. I just wonder why there is such a change in a patch level update. And what the above mentioned bug was about... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
On 06/18/2010 02:01 AM, Alan DeKok wrote: Kyle Plimack wrote: I have pap working (i.e. I ran radtest and got an access-accept). I don’t want to configure certs on each of my hosts for each of my clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are prompted for and username/password. According the the deployingradius.com guide, once pap is working, mschapv2 should “just work”. It doesn’t. Your debug output shows you are using PEAP. That is *not* MSCHAPv2. I’ve put the log on pastebin where it is formatted in a more friendly way http://pastebin.com/9tSjQW1f You have added "ldap" to the "inner-tunnel" section. That's good. You haven't read the WARNING in the debug output, as pointed out by John. That's bad. The server NEEDS a "known good" password in order to authenticate the user. The LDAP server didn't supply one. Ensure that that LDAP server returns a password. It *will* work. Do an ldapsearch on the command line for the user to see what is getting returned to radius. Look for the password attributes, are they there? Is there a cleartext password rather than just hashes? Does the cleartext password attribute in ldap match the password attribute in your radius ldap config (by default it's userPassword). Does your /etc/raddb/ldap.attrmap file have this line? checkItem Cleartext-Password userPassword Don't forget to put an ACL on the password attributes in ldap, you don't want others to be able to read them! If you don't want to store cleartext passwords you'll need to restrict the protocols you support. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of logging behaviour in 2.1.9
Jakob Hirsch wrote: > Since the update to 2.1.9 a new log file is _only_ opened on HUP. Is > this behaviour intended? Yes. It's the way most daemons work. > Is the only possibility to reopen the log file now to send HUP to the > server? I don't feel very comfortable with this. The server reloads the > config, modules and whatnot. I think this is not something that one > wants to do in a daily, unattended process. Isn't there any other, less > intrusive method to tell freeradius to reopen the log file? (besides a > restart, of course) Source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
tangfu wrote: > Hi,guys.Anybody know how to complie freeradius 2.19 under cygwin.I feel > the FreeRADIUS.net is out of date but lots of complie error make me > mad.any proposal will be appreciated. Try posting the errors to the list. Also, cygwin isn't really a supported platform. But if you see compile errors, that's a bit surprising. Cygwin should be *vaguely* POSIX, and FreeRADIUS compiles on all posix systems. Debugging compilation errors requires some knowledge of C. It shouldn't be hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eduroam PEAP + TTLS
Ok,
Here is my eap.conf.
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 4096
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/cert.key
certificate_file = ${certdir}/cert-3169-cert.pem
CA_file = ${cadir}/chain-3169-cert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
I'm sorry
> Date: Fri, 18 Jun 2010 13:27:28 +0100
> From: a.l.m.bu...@lboro.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: eduroam PEAP + TTLS
>
> Hi,
>
> > So this is the true question, what error in my configuration can cause this
> > ?
>
> I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is
> reasonable)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
La boîte mail NOW Génération vous permet de réunir toutes vos boîtes mail dans
Hotmail !
http://www.windowslive.fr/hotmail/nowgeneration/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eduroam PEAP + TTLS
Hi, > So this is the true question, what error in my configuration can cause this ? I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is reasonable) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in proxy mode does not transfer IP address to client
Hi, > I need to authorize wireless users by the protocol EAP-PEAP on Cisco > Air 350, but, > unfortunately, the radius of the billing system can not EAP-PEAP. > Freeradius server > in proxy mode terminates the tunnel TLS, and requests the radius of > the billing system > goes on algorithm mschapv2. > > All right, authorization correct, but one problem: freeradius does not > pass attribute > FRAMED-IP-Address to Win wireless client. > Show, what my mistake, please! wireless clients dont get their address via that method - thats just for dial-in type stuff. to hand out addresses on wireless you need to use DHCP. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem migrating to freeradius2 with LDAP/krb5 Authorization/Authentication
Hi, > # users > DEFAULT Auth-Type := eap > > DEFAULTAuth-Type := Kerberos > Fall-Through = 1 those are 2 conflicting entries. you should never need the first one. the second one is what you'll need...but the Fall-Through is superfluous alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius in proxy mode does not transfer IP address to client
Hi all,
I need to authorize wireless users by the protocol EAP-PEAP on Cisco
Air 350, but,
unfortunately, the radius of the billing system can not EAP-PEAP.
Freeradius server
in proxy mode terminates the tunnel TLS, and requests the radius of
the billing system
goes on algorithm mschapv2.
All right, authorization correct, but one problem: freeradius does not
pass attribute
FRAMED-IP-Address to Win wireless client.
Show, what my mistake, please!
192.168.2.252 - IP address server
port 1645 for freeradius auth packets
ports 1812,1813 for billing radius
10.1.1.30 - Cisco Air 350 wireless AP
= FreeRadius Configs ==
__ proxy.conf __
proxy server {
default_fallback = no
}
home_server BGBILLING {
type = auth+acct
ipaddr = 192.168.2.252
port = 1812
secret = bgbilling
zombie_period=30
response_window=20
status_check = none
ping_check = none
}
realm BGBILLING {
nostrip
authhost= 192.168.2.252:1812
accthost= 192.168.2.252:1813
secret = bgbilling
type= radius
}
___ epa.conf
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
mschapv2 {
}
}
_ proxy-inner-tunnel _
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "BGBILLING"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
= output listing /usr/local/sbin/radiusd -X ===
.
Listening on authentication address * port 1645
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1647
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=72, length=160
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x494e97d46fe81b971dc73dd31ff16394
EAP-Message = 0x0202000b016b6e79726b6f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:01 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Aut
RE: eduroam PEAP + TTLS
Finally, you're right, there is a confusion with PEAP and TTLS... When I say
our FreeRADIUS server doesn't support TTLS but only PEAP, that works...
So this is the true question, what error in my configuration can cause this ?
Thank you very much !
J-P.
From: le...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eduroam PEAP + TTLS
Date: Fri, 18 Jun 2010 07:56:33 +
> Date: Thu, 17 Jun 2010 22:14:45 +0100
> From: a.l.m.bu...@lboro.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: eduroam PEAP + TTLS
>
> Hi,
Hi thank you very much for you quick answer !
> > I'm trying to implement PEAP-MSCHAPV2 support in an existing and working
> > configuration with EAP-TTLS + PAP,
> > giving users a full support of eduroam. There are proxy radius maintained
> > by our national "provider", and they test
> > authentication every 15 minutes.
> >
> > When they only test EAP-TTLS authentication, it works, and this is a part
> > of the output of freeradius -X.
>
> can I ask a quick question. do you need/want your own users to use
> PEAPwhether
> you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your
> usersa visitor
> to your site should be able to use PEAP if their home site supports it as
> your FreeRADIUS
> boxes will just proxy the request to the national proxies.
>
> I'm not sure why the central test should be forcing you to support all types
> of EAP - it
> should only check that you are working for the EAP methods that you, as an
> IdP support.
I need my own users to use PEAP because on Windows client, there is no support
of EAP-TTLS without installing a soft to implement it.
And I want to use Active Directory because I can't use actual password field in
OpenLDAP with PEAP.
Otherwise you're right, this is how eduroam works.
> > } # server inner-tunnel
> > [ttls] Got tunneled reply code 2
> ^^
>
> eh? I thought you said this second test was a PEAP test. are you sure it is
> as
> this looks very much like an EAP-TTLS/MSCHAPv2 test
That's right, whereas before, I've got this line :
Login OK: [user/] (from client proxyradius
port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Which occurs after these lines :
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for u...@realm with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap]expand:
--username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user
[mschap] mschap2: d6
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=45d29cf49c25ed29
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46
Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program: returned: 0
++[mschap] returns ok
So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something
wrong in the order of Auth-Type in my conf files ?
> > Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
> > User-Name = "u...@realm"
> > EAP-Message =
> > 0x010a005f158000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
> > Message-Authenticator = 0x
> > State = 0xcda13382c4ab2647095b27820a4b1850
>
> theres plenty in the FreeRADIUS docs about 'why do I not get anything after
> an Access-Challenge'
> - usually down to certs.
I've already added my certs in the Active Directory, as it's said in eap.conf
and that solved the problem for PEAP-MSCHAPV2. So now, I can use
default PEAP options in the native wpa supplicant on Windows and that works.
I'm gonna look for more about this.
> alan
J-P.
Envie de plus d'originalité dans vos conversations ? Téléchargez gratuitement
les Emoch'ticones !
_
Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW
génération !
http://www.windowslive.fr/hotmail/nowgeneration/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem migrating to freeradius2 with LDAP/krb5 Authorization/Authentication
Hello,
i moved my old freeradius 1.x server to freeradius 2 I am on CentOS5.5
freeradius2-utils-2.1.7-7.el5
freeradius2-mysql-2.1.7-7.el5
freeradius2-2.1.7-7.el5
freeradius2-postgresql-2.1.7-7.el5
freeradius2-python-2.1.7-7.el5
freeradius2-unixODBC-2.1.7-7.el5
freeradius2-krb5-2.1.7-7.el5
freeradius2-perl-2.1.7-7.el5
freeradius2-ldap-2.1.7-7.el5
What I would like to do is to have the same service with LDAP
authorization plus Kerberos V authentication,
and users using EAP-TTLS client (SecureW2).
But it does not work to me, Kerberos authentication is not even entered
by the radius server because of missconfiguration
and I am trying to guess where is my error.
Basic Cleartext password in users file with EAP authentication works.
I am not able to make KErberos authentication work with EAP.
I Setup the radius server, I added principal in the kerberos server and
I have the proper krb5.keytab file setup
here is my configuration, might you check please where I get wrong in my
configuration ?
Following is my configuration and at the end is the radius log,
thank you very much
# users
DEFAULT Auth-Type := eap
DEFAULTAuth-Type := Kerberos
Fall-Through = 1
# modules/krb5
krb5 {
keytab = /etc/krb5.keytab
#service_principal = name_of_principle
}
# modules/ldap
ldap {
server = "ldap-m.mydomain.com"
basedn = "ou=people,o=myorg o=myorg,c=it"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
#sites-avaliable/default
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type Kerberos {
krb5
}
unix
eap
Auth-Type eap {
eap {
handled = 1
}
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
#sites-avaliable/inner-tunnel
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type Kerberos {
krb5
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
radiusd -X
rad_recv: Access-Request packet from host 192.168.252.17 port 1645,
id=55, length=157
User-Name = "usern...@myrealm.com"
Framed-MTU = 1400
Called-Station-Id = "0012.438a.e8f0"
Calling-Station-Id = "0022.5f08.a887"
Service-Type = Login-User
Message-Authenticator = 0xf4d6a67552977fb729b374eba35a1ff4
EAP-Message = 0x0202001b016775697a7a756e746940636e61662e696e666e2e6974
NAS-Port-Type = Wireless-802.11
NAS-Port = 331
NAS-IP-Address = 192.168.252.17
NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.252.17/auth-detail-20100618
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618
[auth_log] expand: %t -> Fri Jun 18 11:11:43 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "myrealm.com" for User-Name =
"usern...@myrealm.com"
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 6
++[files] returns ok
[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} -> username
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=username)
[ldap] expand: ou=people,o=myorg,o=myorg,c=it ->
ou=people,o=myorg,o
RE: eduroam PEAP + TTLS
> Date: Thu, 17 Jun 2010 22:14:45 +0100
> From: a.l.m.bu...@lboro.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: eduroam PEAP + TTLS
>
> Hi,
Hi thank you very much for you quick answer !
> > I'm trying to implement PEAP-MSCHAPV2 support in an existing and working
> > configuration with EAP-TTLS + PAP,
> > giving users a full support of eduroam. There are proxy radius maintained
> > by our national "provider", and they test
> > authentication every 15 minutes.
> >
> > When they only test EAP-TTLS authentication, it works, and this is a part
> > of the output of freeradius -X.
>
> can I ask a quick question. do you need/want your own users to use
> PEAPwhether
> you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your
> usersa visitor
> to your site should be able to use PEAP if their home site supports it as
> your FreeRADIUS
> boxes will just proxy the request to the national proxies.
>
> I'm not sure why the central test should be forcing you to support all types
> of EAP - it
> should only check that you are working for the EAP methods that you, as an
> IdP support.
I need my own users to use PEAP because on Windows client, there is no support
of EAP-TTLS without installing a soft to implement it.
And I want to use Active Directory because I can't use actual password field in
OpenLDAP with PEAP.
Otherwise you're right, this is how eduroam works.
> > } # server inner-tunnel
> > [ttls] Got tunneled reply code 2
> ^^
>
> eh? I thought you said this second test was a PEAP test. are you sure it is
> as
> this looks very much like an EAP-TTLS/MSCHAPv2 test
That's right, whereas before, I've got this line :
Login OK: [user/] (from client proxyradius
port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Which occurs after these lines :
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for u...@realm with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap]expand:
--username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user
[mschap] mschap2: d6
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=45d29cf49c25ed29
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46
Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program: returned: 0
++[mschap] returns ok
So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something
wrong in the order of Auth-Type in my conf files ?
> > Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
> > User-Name = "u...@realm"
> > EAP-Message =
> > 0x010a005f158000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
> > Message-Authenticator = 0x
> > State = 0xcda13382c4ab2647095b27820a4b1850
>
> theres plenty in the FreeRADIUS docs about 'why do I not get anything after
> an Access-Challenge'
> - usually down to certs.
I've already added my certs in the Active Directory, as it's said in eap.conf
and that solved the problem for PEAP-MSCHAPV2. So now, I can use
default PEAP options in the native wpa supplicant on Windows and that works.
I'm gonna look for more about this.
> alan
J-P.
_
Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec
Windows 7
http://clk.atdmt.com/FRM/go/229960614/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
