User attributed missing from access accept message
I have a bit of a puzzle: I have a FreeRADIUS server that takes a TTLS request, handles the TLS outer authentication locally, and then proxies the MSCHAPv2 inner authentication to another server based on the realm specified in the user request. When it receives the MSCHAPv2 access-accept message from one server (another FreeRADIUS server), it includes the user attributes in the access-accept message to the client as expected. However, when it receives the MSCHAPv2 access-accept message from the second server (an NPS server) it does not include the user attributes in the access-accept message to the client, resulting in a connection failure. In the below logs, the same client is attempting to connect in both instances, with the same username. The outer TLS authentication (request, log, and result) is identical. The only differences for the inner MSCHAPv2 method are the username and the realm, and of course the server that the request is proxied to. Because of this, my best guess is that the differences in the server messages are triggering the different behavior. Since I don't have control over the NPS server to examine its configuration, I'm hoping there may be something I can do on the proxy server to correct the problem. Logs are below, with usernames etc. scrubbed, of course. Input or suggestions would be much appreciated. Thanks, Diana # ## FAILED LOG: SERVER DOES NOT INCLUDE USER ATTRIBUTES IN ACCESS-ACCEPT. ##*** rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20100619' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-% Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-2010061 9 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 7 modcall[authorize]: module "digest" returns noop for request 7 rlm_realm: Looking up realm "inner-realm.com" for User-Name = "rlm\inner-user-ident...@inner-realm.com" rlm_realm: Found realm "inner-realm.com" rlm_realm: Adding Stripped-User-Name = "rlm\inner-user-identity" rlm_realm: Proxying request from user rlm\inner-user-identity to realm inner-realm.com rlm_realm: Adding Realm = "inner-realm.com" rlm_realm: Preparing to proxy authentication request to realm "inner-realm.com" modcall[authorize]: module "realmsuffix" returns updated for request 7 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "realmslash" returns noop for request 7 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "realmbackslash" returns noop for request 7 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "realmpercent" returns noop for request 7 rlm_fastusers: checking defaults fastusers: Matched DEFAULT at 56 modcall[authorize]: module "fastusers" returns updated for request 7 modcall: leaving group authorize (returns updated) for request 7 TTLS: Tunneled authentication will be proxied to inner-realm.com Tunneled session will be proxied. Not doing EAP. modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Request of id 0 to 143.185.231.134 port 1812 User-Name = "rlm\\inner-user-identity" MS-CHAP-Challenge = 0xde2f71c04581580092f1e6a607518c80 MS-CHAP2-Response = 0xb00051ef59af51b36ded5808d861b07c722b00 00ff24005614e7135900d88db3c736c7c5abbccc1d6537d45c NAS-IP-Address = 127.0.0.1 Proxy-State = 0x323437 Waking up in 3 seconds... rad_recv: Access-Accept packet from host 143.185.231.134:1812, id=0, length=71 Proxy-State = 0x323437 Class = 0x844e06750137000102008fb9e78601cb08 6c7fcf9744001b Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 TTLS: Passing reply from proxy back into the tunnel. Processing the post-auth section of radiusd.conf modcall: e
Re: 802.1x ->Radius ->Ldap
So I gave in and connected radius to my active directory (which we wish we could get rid of). I'm getting the following error now Any thoughts on correcting this winbind error? [mschapv2] +- entering group MS-CHAP {...} [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for VIDEOEGG\kplimack with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> VIDEOEGG\kplimack [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=VIDEOEGG\kplimack [mschap] expand: %{mschap:NT-Domain} -> VIDEOEGG [mschap] expand: --domain=%{%{mschap:NT-Domain}:-VIDEOEGG} -> --domain=VIDEOEGG [mschap] mschap2: a0 [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=f83a0b16419a7f71 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=fa180186e7d362c5ee57c6c776619d4d72173918ebc17b93 Exec-Program output: Reading winbind reply failed! (0xc001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect On 6/18/10 1:54 PM, "Arran Cudbard-Bell" wrote: That has to go in the wiki somewhere. That's possibly the best explanation of how FreeRADIUS processes requests I've ever heard... :) -Arran On Jun 18, 2010, at 1:50 PM, John Dennis wrote: > On 06/18/2010 04:03 PM, Kyle Plimack wrote: >> So how do I get pap to do it? > > If you're asking how to you get pap to do mschap then that's a nonsensical > question. > > Here is how things work: > > The client sends you a radius auth request, you don't get to decide what's in > it, the client does. > > The radius server looks the request and says > > "hmmm... lets see what do we have here? What can I do with this?" > > The answer to that is what auth types you have enabled, what the server can > lookup, and what's in the request. > > The server will do something like this: > > "Yo unix module, can you handle this one?" > > "Hey pap module, can you handle this one?" > > "Yo mschap module, can you handle this one?" > > At some point hopefully one of the modules will say: > > "No problem I got it" > > The decision as to whether a module can handle the request is made by the > module by looking at the data available to it. > > So lets say the client sends a request with a password and you've got pap > enabled. The pap module looks at the request and says > > "hmmm ... do I have a password for this user" > > if so then compare my copy of the password to what's in the request. > > How does radius find a user's password? By consulting it's backend data store > which can be the users file, a SQL database, or ldap. > > So before the pap module runs ldap will run. ldap says > > "hmm... Can I find passwords for this user?" If so I'll add them to the > request as a check item so my dear friend the pap module can use them, you > know that pap guy, he's always looking for passwords. > > But WAIT! What if the client sends a MSCHAP request? What does the radius > server say then? > > "Well that's a fine kettle of fish! That client has really really tied my > hands on this one" The only thing the server can do is run the mschap logic. > > The mshap module looks the request to see if there is a check item with > either a clear text password or nt-hash (why? look at the protocol table). If > those haven't been added by one of the datastores the mschap module says: > > "Sorry boss, no can do" > > But now the server has run out of options, it's only choice was mschap > because that's what the client sent it and the mscap module can't handle it. > So the server replies: > > "Loser! You ain't getting in here with those credentials" (Well really > Auth-Reject) > > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
That has to go in the wiki somewhere. That's possibly the best explanation of how FreeRADIUS processes requests I've ever heard... :) -Arran On Jun 18, 2010, at 1:50 PM, John Dennis wrote: > On 06/18/2010 04:03 PM, Kyle Plimack wrote: >> So how do I get pap to do it? > > If you're asking how to you get pap to do mschap then that's a nonsensical > question. > > Here is how things work: > > The client sends you a radius auth request, you don't get to decide what's in > it, the client does. > > The radius server looks the request and says > > "hmmm... lets see what do we have here? What can I do with this?" > > The answer to that is what auth types you have enabled, what the server can > lookup, and what's in the request. > > The server will do something like this: > > "Yo unix module, can you handle this one?" > > "Hey pap module, can you handle this one?" > > "Yo mschap module, can you handle this one?" > > At some point hopefully one of the modules will say: > > "No problem I got it" > > The decision as to whether a module can handle the request is made by the > module by looking at the data available to it. > > So lets say the client sends a request with a password and you've got pap > enabled. The pap module looks at the request and says > > "hmmm ... do I have a password for this user" > > if so then compare my copy of the password to what's in the request. > > How does radius find a user's password? By consulting it's backend data store > which can be the users file, a SQL database, or ldap. > > So before the pap module runs ldap will run. ldap says > > "hmm... Can I find passwords for this user?" If so I'll add them to the > request as a check item so my dear friend the pap module can use them, you > know that pap guy, he's always looking for passwords. > > But WAIT! What if the client sends a MSCHAP request? What does the radius > server say then? > > "Well that's a fine kettle of fish! That client has really really tied my > hands on this one" The only thing the server can do is run the mschap logic. > > The mshap module looks the request to see if there is a check item with > either a clear text password or nt-hash (why? look at the protocol table). If > those haven't been added by one of the datastores the mschap module says: > > "Sorry boss, no can do" > > But now the server has run out of options, it's only choice was mschap > because that's what the client sent it and the mscap module can't handle it. > So the server replies: > > "Loser! You ain't getting in here with those credentials" (Well really > Auth-Reject) > > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
On 06/18/2010 04:03 PM, Kyle Plimack wrote: So how do I get pap to do it? If you're asking how to you get pap to do mschap then that's a nonsensical question. Here is how things work: The client sends you a radius auth request, you don't get to decide what's in it, the client does. The radius server looks the request and says "hmmm... lets see what do we have here? What can I do with this?" The answer to that is what auth types you have enabled, what the server can lookup, and what's in the request. The server will do something like this: "Yo unix module, can you handle this one?" "Hey pap module, can you handle this one?" "Yo mschap module, can you handle this one?" At some point hopefully one of the modules will say: "No problem I got it" The decision as to whether a module can handle the request is made by the module by looking at the data available to it. So lets say the client sends a request with a password and you've got pap enabled. The pap module looks at the request and says "hmmm ... do I have a password for this user" if so then compare my copy of the password to what's in the request. How does radius find a user's password? By consulting it's backend data store which can be the users file, a SQL database, or ldap. So before the pap module runs ldap will run. ldap says "hmm... Can I find passwords for this user?" If so I'll add them to the request as a check item so my dear friend the pap module can use them, you know that pap guy, he's always looking for passwords. But WAIT! What if the client sends a MSCHAP request? What does the radius server say then? "Well that's a fine kettle of fish! That client has really really tied my hands on this one" The only thing the server can do is run the mschap logic. The mshap module looks the request to see if there is a check item with either a clear text password or nt-hash (why? look at the protocol table). If those haven't been added by one of the datastores the mschap module says: "Sorry boss, no can do" But now the server has run out of options, it's only choice was mschap because that's what the client sent it and the mscap module can't handle it. So the server replies: "Loser! You ain't getting in here with those credentials" (Well really Auth-Reject) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
Kyle Plimack wrote: > So how do I get pap to do it? To do what? If you're asking why PAP works, go read the table. It's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
On 06/18/2010 02:11 PM, Kyle Plimack wrote: Doing an ldapsearch put me on the right track, I had created a user ‘radiusd’, but that user did not have the rights to request the userPassword. The error I am getting now is: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for kplimack with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject I added an entry to ldap.attrmap, “checkItem Cleartext-Password userPassword” The Password is not cleartext, but I read somewhere that radius is supposed to figure that out automatically from a header. This is what is returned: rlm_ldap: userPassword -> Cleartext-Password == "{SSHA}xQjX16XbCUSXpiR2y" That's not a clear text password is it? You can't do MSCHAP with SHA1. Please look at: http://deployingradius.com/documents/protocols/compatibility.html Which password type is compatible with *all* authentication mechanisms? Which will work with SHA1? If you have multiple password attributes in ldap per user, for instance different hashes and hopefully a cleartext then set the userPassword attribute in ldap.attrmap to User-Password and enable auto_header in the ldap module config. The ldap will read *every* password attribute defined for the user and map them passed on the {} prefix. In the above case your prefix was {SSHA} do rlm_ldap will map that to PW_SSHA_PASSWORD. But you already know from reading the protocol table it won't work with MSCHAP, right? Which type of password works with everything? Look at the table. What works with MSCHAP? Look at the table. Now, go back and add the necessary password attributes to your ldap. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
So how do I get pap to do it? On 6/18/10 12:50 PM, "Alan DeKok" wrote: Kyle Plimack wrote: > I added an entry to ldap.attrmap, "checkItem Cleartext-Password > userPassword" > The Password is not cleartext, but I read somewhere that radius is > supposed to figure that out automatically from a header. This is what > is returned: > > rlm_ldap: userPassword -> Cleartext-Password == > "{SSHA}xQjX16XbCUSXpiR2y" It is impossible to do MS-CHAP with SSHA passwords. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
Kyle Plimack wrote: > I added an entry to ldap.attrmap, “checkItem Cleartext-Password > userPassword” > The Password is not cleartext, but I read somewhere that radius is > supposed to figure that out automatically from a header. This is what > is returned: > > rlm_ldap: userPassword -> Cleartext-Password == > "{SSHA}xQjX16XbCUSXpiR2y" It is impossible to do MS-CHAP with SSHA passwords. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
Doing an ldapsearch put me on the right track, I had created a user 'radiusd', but that user did not have the rights to request the userPassword. The error I am getting now is: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for kplimack with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject I added an entry to ldap.attrmap, "checkItem Cleartext-Password userPassword" The Password is not cleartext, but I read somewhere that radius is supposed to figure that out automatically from a header. This is what is returned: rlm_ldap: userPassword -> Cleartext-Password == "{SSHA}xQjX16XbCUSXpiR2y" Full Log: http://pastebin.com/ZJuPsyrb On 6/18/10 7:14 AM, "John Dennis" wrote: On 06/18/2010 02:01 AM, Alan DeKok wrote: > Kyle Plimack wrote: >> I have pap working (i.e. I ran radtest and got an access-accept). >> I don't want to configure certs on each of my hosts for each of my >> clients, so I'd like to use PEAP/msChapV2 so that dot1x clients are >> prompted for and username/password. >> >> According the the deployingradius.com guide, once pap is working, >> mschapv2 should "just work". It doesn't. > >Your debug output shows you are using PEAP. That is *not* MSCHAPv2. > >> I've put the log on pastebin where it is formatted in a more friendly way >> http://pastebin.com/9tSjQW1f > >You have added "ldap" to the "inner-tunnel" section. That's good. > You haven't read the WARNING in the debug output, as pointed out by > John. That's bad. > >The server NEEDS a "known good" password in order to authenticate the > user. The LDAP server didn't supply one. Ensure that that LDAP server > returns a password. It *will* work. Do an ldapsearch on the command line for the user to see what is getting returned to radius. Look for the password attributes, are they there? Is there a cleartext password rather than just hashes? Does the cleartext password attribute in ldap match the password attribute in your radius ldap config (by default it's userPassword). Does your /etc/raddb/ldap.attrmap file have this line? checkItem Cleartext-Password userPassword Don't forget to put an ACL on the password attributes in ldap, you don't want others to be able to read them! If you don't want to store cleartext passwords you'll need to restrict the protocols you support. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of logging behaviour in 2.1.9
Jakob Hirsch wrote: > I just wonder why there is such a change in a patch level update. And > what the above mentioned bug was about... The bug was that it *wasn't* re-opening the log file on HUP. Since this is expected behavior, it needed to be fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of logging behaviour in 2.1.9
Bjørn Mork, 2010-06-17 18:28: >>> * re-open log file after HUP. Closes bug #63. > FWIW we have been HUPing the server from a daily, unattended process > with FR 2.1.8 since it was released (we need it to rotate log files Ok. That's what we are doing now, too. After all, other daemons (apache, rsyslogd etc.) are doing the same all the time. I just wonder why there is such a change in a patch level update. And what the above mentioned bug was about... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x ->Radius ->Ldap
On 06/18/2010 02:01 AM, Alan DeKok wrote: Kyle Plimack wrote: I have pap working (i.e. I ran radtest and got an access-accept). I don’t want to configure certs on each of my hosts for each of my clients, so I’d like to use PEAP/msChapV2 so that dot1x clients are prompted for and username/password. According the the deployingradius.com guide, once pap is working, mschapv2 should “just work”. It doesn’t. Your debug output shows you are using PEAP. That is *not* MSCHAPv2. I’ve put the log on pastebin where it is formatted in a more friendly way http://pastebin.com/9tSjQW1f You have added "ldap" to the "inner-tunnel" section. That's good. You haven't read the WARNING in the debug output, as pointed out by John. That's bad. The server NEEDS a "known good" password in order to authenticate the user. The LDAP server didn't supply one. Ensure that that LDAP server returns a password. It *will* work. Do an ldapsearch on the command line for the user to see what is getting returned to radius. Look for the password attributes, are they there? Is there a cleartext password rather than just hashes? Does the cleartext password attribute in ldap match the password attribute in your radius ldap config (by default it's userPassword). Does your /etc/raddb/ldap.attrmap file have this line? checkItem Cleartext-Password userPassword Don't forget to put an ACL on the password attributes in ldap, you don't want others to be able to read them! If you don't want to store cleartext passwords you'll need to restrict the protocols you support. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of logging behaviour in 2.1.9
Jakob Hirsch wrote: > Since the update to 2.1.9 a new log file is _only_ opened on HUP. Is > this behaviour intended? Yes. It's the way most daemons work. > Is the only possibility to reopen the log file now to send HUP to the > server? I don't feel very comfortable with this. The server reloads the > config, modules and whatnot. I think this is not something that one > wants to do in a daily, unattended process. Isn't there any other, less > intrusive method to tell freeradius to reopen the log file? (besides a > restart, of course) Source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
tangfu wrote: > Hi,guys.Anybody know how to complie freeradius 2.19 under cygwin.I feel > the FreeRADIUS.net is out of date but lots of complie error make me > mad.any proposal will be appreciated. Try posting the errors to the list. Also, cygwin isn't really a supported platform. But if you see compile errors, that's a bit surprising. Cygwin should be *vaguely* POSIX, and FreeRADIUS compiles on all posix systems. Debugging compilation errors requires some knowledge of C. It shouldn't be hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eduroam PEAP + TTLS
Ok, Here is my eap.conf. eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/cert.key certificate_file = ${certdir}/cert-3169-cert.pem CA_file = ${cadir}/chain-3169-cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } I'm sorry > Date: Fri, 18 Jun 2010 13:27:28 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: eduroam PEAP + TTLS > > Hi, > > > So this is the true question, what error in my configuration can cause this > > ? > > I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is > reasonable) > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ La boîte mail NOW Génération vous permet de réunir toutes vos boîtes mail dans Hotmail ! http://www.windowslive.fr/hotmail/nowgeneration/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eduroam PEAP + TTLS
Hi, > So this is the true question, what error in my configuration can cause this ? I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is reasonable) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in proxy mode does not transfer IP address to client
Hi, > I need to authorize wireless users by the protocol EAP-PEAP on Cisco > Air 350, but, > unfortunately, the radius of the billing system can not EAP-PEAP. > Freeradius server > in proxy mode terminates the tunnel TLS, and requests the radius of > the billing system > goes on algorithm mschapv2. > > All right, authorization correct, but one problem: freeradius does not > pass attribute > FRAMED-IP-Address to Win wireless client. > Show, what my mistake, please! wireless clients dont get their address via that method - thats just for dial-in type stuff. to hand out addresses on wireless you need to use DHCP. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem migrating to freeradius2 with LDAP/krb5 Authorization/Authentication
Hi, > # users > DEFAULT Auth-Type := eap > > DEFAULTAuth-Type := Kerberos > Fall-Through = 1 those are 2 conflicting entries. you should never need the first one. the second one is what you'll need...but the Fall-Through is superfluous alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius in proxy mode does not transfer IP address to client
Hi all, I need to authorize wireless users by the protocol EAP-PEAP on Cisco Air 350, but, unfortunately, the radius of the billing system can not EAP-PEAP. Freeradius server in proxy mode terminates the tunnel TLS, and requests the radius of the billing system goes on algorithm mschapv2. All right, authorization correct, but one problem: freeradius does not pass attribute FRAMED-IP-Address to Win wireless client. Show, what my mistake, please! 192.168.2.252 - IP address server port 1645 for freeradius auth packets ports 1812,1813 for billing radius 10.1.1.30 - Cisco Air 350 wireless AP = FreeRadius Configs == __ proxy.conf __ proxy server { default_fallback = no } home_server BGBILLING { type = auth+acct ipaddr = 192.168.2.252 port = 1812 secret = bgbilling zombie_period=30 response_window=20 status_check = none ping_check = none } realm BGBILLING { nostrip authhost= 192.168.2.252:1812 accthost= 192.168.2.252:1813 secret = bgbilling type= radius } ___ epa.conf eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } mschapv2 { } } _ proxy-inner-tunnel _ server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := "BGBILLING" } } authenticate { eap } post-proxy { eap } } = output listing /usr/local/sbin/radiusd -X === . Listening on authentication address * port 1645 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1647 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=72, length=160 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0040.9645.a099" Calling-Station-Id = "001a.73f3.d763" Cisco-AVPair = "ssid=hotel" Service-Type = Login-User Message-Authenticator = 0x494e97d46fe81b971dc73dd31ff16394 EAP-Message = 0x0202000b016b6e79726b6f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "265" NAS-Port = 265 NAS-IP-Address = 10.1.1.30 NAS-Identifier = "wifi-tur" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.30/auth-detail-20100608 [auth_log] expand: %t -> Tue Jun 8 11:31:01 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Aut
RE: eduroam PEAP + TTLS
Finally, you're right, there is a confusion with PEAP and TTLS... When I say our FreeRADIUS server doesn't support TTLS but only PEAP, that works... So this is the true question, what error in my configuration can cause this ? Thank you very much ! J-P. From: le...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eduroam PEAP + TTLS Date: Fri, 18 Jun 2010 07:56:33 + > Date: Thu, 17 Jun 2010 22:14:45 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: eduroam PEAP + TTLS > > Hi, Hi thank you very much for you quick answer ! > > I'm trying to implement PEAP-MSCHAPV2 support in an existing and working > > configuration with EAP-TTLS + PAP, > > giving users a full support of eduroam. There are proxy radius maintained > > by our national "provider", and they test > > authentication every 15 minutes. > > > > When they only test EAP-TTLS authentication, it works, and this is a part > > of the output of freeradius -X. > > can I ask a quick question. do you need/want your own users to use > PEAPwhether > you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your > usersa visitor > to your site should be able to use PEAP if their home site supports it as > your FreeRADIUS > boxes will just proxy the request to the national proxies. > > I'm not sure why the central test should be forcing you to support all types > of EAP - it > should only check that you are working for the EAP methods that you, as an > IdP support. I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it. And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP. Otherwise you're right, this is how eduroam works. > > } # server inner-tunnel > > [ttls] Got tunneled reply code 2 > ^^ > > eh? I thought you said this second test was a PEAP test. are you sure it is > as > this looks very much like an EAP-TTLS/MSCHAPv2 test That's right, whereas before, I've got this line : Login OK: [user/] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) Which occurs after these lines : Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for u...@realm with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap]expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user [mschap] mschap2: d6 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46 Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program: returned: 0 ++[mschap] returns ok So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ? > > Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 > > User-Name = "u...@realm" > > EAP-Message = > > 0x010a005f158000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 > > Message-Authenticator = 0x > > State = 0xcda13382c4ab2647095b27820a4b1850 > > theres plenty in the FreeRADIUS docs about 'why do I not get anything after > an Access-Challenge' > - usually down to certs. I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use default PEAP options in the native wpa supplicant on Windows and that works. I'm gonna look for more about this. > alan J-P. Envie de plus d'originalité dans vos conversations ? Téléchargez gratuitement les Emoch'ticones ! _ Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW génération ! http://www.windowslive.fr/hotmail/nowgeneration/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem migrating to freeradius2 with LDAP/krb5 Authorization/Authentication
Hello, i moved my old freeradius 1.x server to freeradius 2 I am on CentOS5.5 freeradius2-utils-2.1.7-7.el5 freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-postgresql-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-unixODBC-2.1.7-7.el5 freeradius2-krb5-2.1.7-7.el5 freeradius2-perl-2.1.7-7.el5 freeradius2-ldap-2.1.7-7.el5 What I would like to do is to have the same service with LDAP authorization plus Kerberos V authentication, and users using EAP-TTLS client (SecureW2). But it does not work to me, Kerberos authentication is not even entered by the radius server because of missconfiguration and I am trying to guess where is my error. Basic Cleartext password in users file with EAP authentication works. I am not able to make KErberos authentication work with EAP. I Setup the radius server, I added principal in the kerberos server and I have the proper krb5.keytab file setup here is my configuration, might you check please where I get wrong in my configuration ? Following is my configuration and at the end is the radius log, thank you very much # users DEFAULT Auth-Type := eap DEFAULTAuth-Type := Kerberos Fall-Through = 1 # modules/krb5 krb5 { keytab = /etc/krb5.keytab #service_principal = name_of_principle } # modules/ldap ldap { server = "ldap-m.mydomain.com" basedn = "ou=people,o=myorg o=myorg,c=it" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } #sites-avaliable/default authorize { preprocess auth_log chap mschap suffix eap { ok = return } unix files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type Kerberos { krb5 } unix eap Auth-Type eap { eap { handled = 1 } } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } #sites-avaliable/inner-tunnel server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type Kerberos { krb5 } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } radiusd -X rad_recv: Access-Request packet from host 192.168.252.17 port 1645, id=55, length=157 User-Name = "usern...@myrealm.com" Framed-MTU = 1400 Called-Station-Id = "0012.438a.e8f0" Calling-Station-Id = "0022.5f08.a887" Service-Type = Login-User Message-Authenticator = 0xf4d6a67552977fb729b374eba35a1ff4 EAP-Message = 0x0202001b016775697a7a756e746940636e61662e696e666e2e6974 NAS-Port-Type = Wireless-802.11 NAS-Port = 331 NAS-IP-Address = 192.168.252.17 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] expand: %t -> Fri Jun 18 11:11:43 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" [suffix] Found realm "myrealm.com" [suffix] Adding Stripped-User-Name = "username" [suffix] Adding Realm = "myrealm.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 6 ++[files] returns ok [ldap] performing user authorization for username [ldap] expand: %{Stripped-User-Name} -> username [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username) [ldap] expand: ou=people,o=myorg,o=myorg,c=it -> ou=people,o=myorg,o
RE: eduroam PEAP + TTLS
> Date: Thu, 17 Jun 2010 22:14:45 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: eduroam PEAP + TTLS > > Hi, Hi thank you very much for you quick answer ! > > I'm trying to implement PEAP-MSCHAPV2 support in an existing and working > > configuration with EAP-TTLS + PAP, > > giving users a full support of eduroam. There are proxy radius maintained > > by our national "provider", and they test > > authentication every 15 minutes. > > > > When they only test EAP-TTLS authentication, it works, and this is a part > > of the output of freeradius -X. > > can I ask a quick question. do you need/want your own users to use > PEAPwhether > you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your > usersa visitor > to your site should be able to use PEAP if their home site supports it as > your FreeRADIUS > boxes will just proxy the request to the national proxies. > > I'm not sure why the central test should be forcing you to support all types > of EAP - it > should only check that you are working for the EAP methods that you, as an > IdP support. I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it. And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP. Otherwise you're right, this is how eduroam works. > > } # server inner-tunnel > > [ttls] Got tunneled reply code 2 > ^^ > > eh? I thought you said this second test was a PEAP test. are you sure it is > as > this looks very much like an EAP-TTLS/MSCHAPv2 test That's right, whereas before, I've got this line : Login OK: [user/] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) Which occurs after these lines : Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for u...@realm with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap]expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user [mschap] mschap2: d6 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46 Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program: returned: 0 ++[mschap] returns ok So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ? > > Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 > > User-Name = "u...@realm" > > EAP-Message = > > 0x010a005f158000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 > > Message-Authenticator = 0x > > State = 0xcda13382c4ab2647095b27820a4b1850 > > theres plenty in the FreeRADIUS docs about 'why do I not get anything after > an Access-Challenge' > - usually down to certs. I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use default PEAP options in the native wpa supplicant on Windows and that works. I'm gonna look for more about this. > alan J-P. _ Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec Windows 7 http://clk.atdmt.com/FRM/go/229960614/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html