Re: EAP-TLS authentication allows me to authenticate with invalid certificate.
Terry Simons wrote: I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS. Well... the code which prints the error verify error:num=20: is in the verify certificate callback function. It's returning FALSE to OpenSSL. OpenSSL *should* return that error back up the call chain to the functions in src/modules/libeap/. They look for error returns from OpenSSL, and stop the conversation if so. There's a message in the log that clearly indicates that the CA wasn't found (-- verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds. I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates). Does it fail authentication with another version of FreeRADIUS? If not, it's an OpenSSL problem. I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt. Has anyone seen this before? Nope. I'm not a crypto person. FreeRADIUS hands the SSL stuff to OpenSSL, which does it's magic to verify the certs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netscreen 208 and Freeradius
Hi,
I am trying to configure netscreen 208 firewall to authenticate and
account for users traffic when they login via the captive portal. I
have installed freeradius 2.1.9 on Fedora core 13.
in the /etc/raddusers I added the bellow entry for rsa
rsa Cleartext-Password := nopass
Service-Type = Framed-User
in the /etc/raddb/clients.conf I added
client 193.188.129.33 {
nastype = other
secret = 12345
shortname = vdk-u-nsaaa
when user rsa logs in to the captive portal the authentication is
successful however user rsa still can not access the internet
rad_recv: Access-Request packet from host 193.188.129.33 port 49715,
id=1, length=49
User-Name = rsa
User-Password = nopass
NAS-IP-Address = 193.188.129.33
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry rsa at line 70
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password nopass
[pap] Using clear text password nopass
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 1 to 193.188.129.33 port 49715
Service-Type = Framed-User
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 1 with timestamp +135
Ready to process requests.
thank you for your help
Regards,
Ramzi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Netscreen 208 and Freeradius
Ramzi Abdallah wrote: when user rsa logs in to the captive portal the authentication is successful however user rsa still can not access the internet Read the NAS documentation to see which attributes in needs in the Access-Accept. This isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
jradius 1.1.3
Hello, For those using rlm_jradius, there is a new release of the JRadius server: http://www.coova.org/JRadius Be sure to upgrade your rlm_jradius ! (probably the most common issue we hear about; I submitted a patch a while back, but haven't followed it up) Get it from (also included in java distro): http://dev.coova.org/svn/cjradius/trunk/freeradius/rlm_jradius/ There have also been improvements with the RADIUS simulator/client in supporting RadSec, EAP-TLS, EAP-TTLS/PAP, and PEAP. Screen shots and basic info: http://coova-docs.s3.amazonaws.com/JRadiusSimulator.pdf Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Removing domain name in freeradius
Thanks Phil. Final question: At the moment, I can authenticate with username, but not with usern...@mydomain.ox.ac.uk How do I tell freeradius to accept usern...@mydomain.ox.ac.uk (I don't mind if authenticating with just username without the domain fails) Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Netscreen 208 and Freeradius
It's possible that this don't work? http://freeradius.org/list/users.html :? Martín Ruiz Ibersystems Solutions, SL Dpto. Redes Inalámbricas Tel. 902 430 367 669 37 95 21 Fax 93 758 63 01 http://www.ibersystems.es [http://www.ibersystems.es/] martinr...@ibersystems.es [mailto:martinr...@ibersystems.es] Estemensaje puede contener información confidencial y/o privilegiada. Siusted no es el destinatario o una persona expresamente autorizada pararecibir este envío no debe utilizar, copiar, reenviar, distribuir, o engeneral disponer de ninguna forma de la información incluida. Sihubiera recibido este mensaje por error, sírvase informar al emisormediante una respuesta inmediata y bórrelo, por favor. Muchas gracias. PAntes de imprimir este e-mail, piensa en si es realmente necesario: El Medio Ambiente es responsabilidad de todos -Original Message- From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wed, 13 Oct 2010 12:00:52 +0200 Subject: Re: Netscreen 208 and Freeradius Ramzi Abdallah wrote: when user rsa logs in to the captive portal the authentication is successful however user rsa still can not access the internet Read the NAS documentation to see which attributes in needs in the Access-Accept. This isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [http://www.freeradius.org/list/users.html] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain name in freeradius
On 13/10/10 11:55, Mark Holmes wrote:
Thanks Phil.
Final question: At the moment, I can authenticate with username, but not with
usern...@mydomain.ox.ac.uk
How do I tell freeradius to accept usern...@mydomain.ox.ac.uk (I don't mind if
authenticating with just username without the domain fails)
Sorry, I don't follow: isn't that just the same question you asked
previously?
FreeRadius itself doesn't care what the username is. The key is that the
modules doing the authentication can recognise and authenticate that
username.
I believe from your earlier posts you are using mschap and the
ntlm_auth helper? If you look in the default configs, the commented
out (but suggested) config is:
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Note the use of the conditional expansion Stripped-User-Name
Anyway, as always - if it's failing, please post the full debug output i.e.:
radiusd -X | tee log
...so we can see why and help you.
In all probability, you are passing the unstripped username a...@b to
ntlm_auth and it's choking on it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: jradius 1.1.3
David Bird wrote: Be sure to upgrade your rlm_jradius ! (probably the most common issue we hear about; I submitted a patch a while back, but haven't followed it up) I'll get it into 2.1.11. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain name in freeradius
Phil Mayers p.may...@imperial.ac.uk wrote: Anyway, as always - if it's failing, please post the full debug output i.e.: radiusd -X | tee log ...I am pretty sure that is meant to be: radiusd -X 21 | tee log I thought freeradius printed to STDERR? If not that probably should be fixed, in my honest opinion. :) Cheers -- Alexander Clouter .sigmonster says: Drive defensively. Buy a tank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain name in freeradius
On 13/10/10 13:27, Alexander Clouter wrote: Phil Mayersp.may...@imperial.ac.uk wrote: Anyway, as always - if it's failing, please post the full debug output i.e.: radiusd -X | tee log ...I am pretty sure that is meant to be: radiusd -X 21 | tee log I thought freeradius printed to STDERR? Nope. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-Id Empty value
Dears,
I am using freeradius with wichorus ASN-GW (WiMAX), I have problem with
Calling-Station-Id value
The ASN-GW sent Calling-Station-Id in binary format like
this \000\031\001\000K
I checked the debug radius -X result and I found the AAA got
the correct value for Calling-Station-Id but when insert it to database it's
will be empty value like
Calling-Station-Id='' (Empty Value)
What's the problem? And how can insert the
Calling-Station-Id value to radacct table?
The SQL statement for accounting_start_query for example is:
accounting_start_query = INSERT into ${acct_table1}
(AccStatusType, AcctSessionId, AcctUniqueId, UserName, \
NASIPAddress, NASPortId, NASPortType,
WiMAXGMTTimezoneoffset, WiMAXBSId, EventTimestamp, CallingStationId, \
AcctStartTime, AcctStopTime, AcctSessionTime,
AcctInputOctets, \
AcctOutputOctets, AcctTerminateCause, FramedIPAddress ) \
select '%{Acct-Status-Type}', '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%{WiMAX-GMT-Timezone-offset}', \
'%{WiMAX-BS-Id}', '%{Event-Timestamp}',
'%{Calling-Station-Id}', '%S', '0', '0', '0', '0','', \
'%{Framed-IP-Address}' from dual where not exists (select *
from ${acct_table1} where UserName='%{SQL-User-Name}' and
AcctSessionId='%{Acct-Session-Id}' \
and AcctStartTime='%S')
Regards,
Moayad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type examples and parse error
Hi Alan,
Thanks for the help! This works well and lessens the confusion on my
part.
I do have one question. When using ldap as the authorization module the
Auth-Type gets set properly to siteone_ldap. But if I try using
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
OK.
rad_recv: Access-Request packet from host 127.0.0.1 port 38806, id=14,
length=63
User-Name = SITEONE\\hhoffman
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = SITEONE\hhoffman, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm SITEONE for User-Name = SITEONE\hhoffman
[ntdomain] Found realm SITEONE
[ntdomain] Adding Stripped-User-Name = hhoffman
[ntdomain] Adding Realm = SITEONE
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++? if (!Realm)
? Evaluating !(Realm) - FALSE
++? if (!Realm) - FALSE
++? elsif (Realm == siteone.edu)
? Evaluating (Realm == siteone.edu) - FALSE
++? elsif (Realm == siteone.edu) - FALSE
++? elsif (Realm == SITEONE)
? Evaluating (Realm == SITEONE) - TRUE
++? elsif (Realm == SITEONE) - TRUE
++- entering elsif (Realm == SITEONE) {...}
[siteone_ntlm_auth] expand: --username=%{Stripped-User-Name} -
--username=hhoffman
[siteone_ntlm_auth] expand: --password=%{User-Password} -
--password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
+++[siteone_ntlm_auth] returns ok
++- elsif (Realm == SITEONE) returns ok
++ ... skipping elsif for request 6: Preceding if was taken
++ ... skipping elsif for request 6: Preceding if was taken
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [SITEONE\\hhoffman] (from client localhost port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - SITEONE\hhoffman
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 14 to 127.0.0.1 port 38806
Waking up in 4.9 seconds.
Cleaning up request 6 ID 14 with timestamp +864
Ready to process requests.
On Tue, 2010-10-12 at 21:48 +0200, Alan DeKok wrote:
Harry Hoffman wrote:
I'm following along with the docs for Autz-Type in freeradius-2.1.8,
specifically the section about selecting between multiple instances of a
module.
In 2.x, there are better ways to do this. See man unlang for
conditionally calling a module.
In users.conf I have:
DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type :=
siteone_ldap
Please don't say users.conf. It's the users file.
The issue is that 2.x has the inner-tunnel virtual server, and the
documentation is left over from 1.1.x. The solution is instead to *not*
use the users file. Instead, do:
authorize {
...
if (Realm == siteone.edu) {
siteone_ldap
}
...
}
This will *also* have it automatically set Auth-Type to
siteone_ldap, too. That's simpler than the users file entry, and
gives less room for mistakes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.10 DHCP not responding
Hi, I'm playing with freeradius acting as DHCP-server - which is a magnificent idea! Got a little problem getting it up and running. Already checked any comments in sources, list archive, recent git patches related to dhcp and my favourite search engine. Also used two different machines with other nic's. Used ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2 and followed directions in raddb/sites-enabled/dhcp. Configure, make and make install with no errors/warnings. But radiusd does not react to any DHCP-discover. I can see the discovers coming in via tcpdump but radiusd -X remains quiet: = linux:/usr/local/src# tcpdump -vvvni eth0 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:19:09.548866 vlan 72, p 0, IP (tos 0x0, ttl 64, id 17503, offset 0, flags [none], proto UDP (17), length 377) 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from bc:05:43:41:1d:8d, length 349, xid 0x7e969d44, Flags [none] (0x) Client-Ethernet-Address bc:05:43:XX:1d:8d [|bootp] 17:19:00.583066 vlan 73, p 0, IP (tos 0x0, ttl 64, id 2146, offset 0, flags [none], proto UDP (17), length 373) 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from bc:05:43:41:1d:8e, length 345, xid 0x48413368, Flags [none] (0x) Client-Ethernet-Address bc:05:43:XX:1d:8e [|bootp] = linux:/usr/local# /usr/local/sbin/radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Oct 13 2010 at 16:06:27 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file
Re: Autz-Type examples and parse error
On 13/10/10 14:40, Harry Hoffman wrote:
Hi Alan,
Thanks for the help! This works well and lessens the confusion on my
part.
I do have one question. When using ldap as the authorization module the
Auth-Type gets set properly to siteone_ldap. But if I try using
That's a feature of the ldap module; if it is a named module it sets
the Auth-Type to that name (otherwise using LDAP)
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
OK.
The (confusingly named) ntlm_auth module is actually a copy of the
exec module which checks PAP requests; it does not have that feature.
You are also using it wrong, by running it in the authorize section.
You want something like:
authorize {
if (Realm == ...) {
ldap_siteone
}
elsif (Realm == ...) {
update control {
Auth-Type := PAP-ntdom
}
}
}
authenticate {
Auth-Type ldap_siteone {
ldap_siteone
}
Auth-Type PAP-ntdom {
ntlm_auth
}
}
I guess the other alternative is:
authorize {
if (Realm == ...) {
ldap_siteone
}
elsif (Realm == ...) {
ntlm_auth
if (ok) {
update control {
Auth-Type := PAP-ntdom
}
}
}
}
...but maybe it's not really what you should be doing; authenticate
should happen after authorize
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type examples and parse error
Hi Phil,
Thanks for the pointers. I was attempting to use ntlm_auth to ensure the
account actually existed for the authorization section. And then again
in the authentication section to ensure the user name and password
match.
Is there a better way to check for authorization against AD?
Cheers,
Harry
On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote:
On 13/10/10 14:40, Harry Hoffman wrote:
Hi Alan,
Thanks for the help! This works well and lessens the confusion on my
part.
I do have one question. When using ldap as the authorization module the
Auth-Type gets set properly to siteone_ldap. But if I try using
That's a feature of the ldap module; if it is a named module it sets
the Auth-Type to that name (otherwise using LDAP)
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
OK.
The (confusingly named) ntlm_auth module is actually a copy of the
exec module which checks PAP requests; it does not have that feature.
You are also using it wrong, by running it in the authorize section.
You want something like:
authorize {
if (Realm == ...) {
ldap_siteone
}
elsif (Realm == ...) {
update control {
Auth-Type := PAP-ntdom
}
}
}
authenticate {
Auth-Type ldap_siteone {
ldap_siteone
}
Auth-Type PAP-ntdom {
ntlm_auth
}
}
I guess the other alternative is:
authorize {
if (Realm == ...) {
ldap_siteone
}
elsif (Realm == ...) {
ntlm_auth
if (ok) {
update control {
Auth-Type := PAP-ntdom
}
}
}
}
...but maybe it's not really what you should be doing; authenticate
should happen after authorize
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type examples and parse error
On 13/10/10 15:17, Harry Hoffman wrote:
Hi Phil,
Thanks for the pointers. I was attempting to use ntlm_auth to ensure the
account actually existed for the authorization section. And then again
in the authentication section to ensure the user name and password
match.
But that's not what you're doing. You're actually issuing a password
check request.
And why check twice? If they don't exist, auth will fail in the
authenticate {} section.
Is there a better way to check for authorization against AD?
It depends. What does authorization in this context mean?
AD has an integrated LDAP server, which is moderately useful; if you
configure FreeRadius you can
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id Empty value
Moayad Mohammad wrote: I am using freeradius with wichorus ASN-GW (WiMAX), I have problem with Calling-Station-Id value The ASN-GW sent Calling-Station-Id in binary format like this \000\031\001\000K Horrible WiMAX specs... What’s the problem? And how can insert the Calling-Station-Id value to radacct table? In 2.1.10, list wimax in the authorize section, and it will be magically fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.10 DHCP not responding
IIRC there were problems binding the server to IP addresses. Try just binding to an interface or being promiscuous. On 13/10/2010, Zietz, Marco marco.zi...@pfalzkom-manet.de wrote: Hi, I'm playing with freeradius acting as DHCP-server - which is a magnificent idea! Got a little problem getting it up and running. Already checked any comments in sources, list archive, recent git patches related to dhcp and my favourite search engine. Also used two different machines with other nic's. Used ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2 and followed directions in raddb/sites-enabled/dhcp. Configure, make and make install with no errors/warnings. But radiusd does not react to any DHCP-discover. I can see the discovers coming in via tcpdump but radiusd -X remains quiet: = linux:/usr/local/src# tcpdump -vvvni eth0 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:19:09.548866 vlan 72, p 0, IP (tos 0x0, ttl 64, id 17503, offset 0, flags [none], proto UDP (17), length 377) 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from bc:05:43:41:1d:8d, length 349, xid 0x7e969d44, Flags [none] (0x) Client-Ethernet-Address bc:05:43:XX:1d:8d [|bootp] 17:19:00.583066 vlan 73, p 0, IP (tos 0x0, ttl 64, id 2146, offset 0, flags [none], proto UDP (17), length 373) 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from bc:05:43:41:1d:8e, length 345, xid 0x48413368, Flags [none] (0x) Client-Ethernet-Address bc:05:43:XX:1d:8e [|bootp] = linux:/usr/local# /usr/local/sbin/radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Oct 13 2010 at 16:06:27 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/inner-eap including
Re: freeradius 2.1.10 DHCP not responding
Hi, I'm playing with freeradius acting as DHCP-server - which is a magnificent idea! Got a little problem getting it up and running. Already checked any comments in sources, list archive, recent git patches related to dhcp and my favourite search engine. Also used two different machines with other nic's. Used ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2 and followed directions in raddb/sites-enabled/dhcp. Configure, make and make install with no errors/warnings. But radiusd does not react to any DHCP-discover. I can see the discovers coming in via tcpdump but radiusd -X remains quiet: as Arran says - try making it bind to an interface rather than IP - but I would suggest that you also check the following - are you running iptables or similar? (if so, obviously enable port 67/68 UDP) - are you running SELinux or similar? you might need to tweak that too with new SE policy alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP vs MSCHAPv2 for VPN
Using freeradius 2.1.8, I have a sonicwall firewall that
authenticates VPN users against the freeradius server. The VPN
clients are the native MSFT VPN client.
When the client is configured for L2TP, MS-CHAP, the client connects.
When the client is configured for L2TP MSChapv2, the client fails to
connect with an error It was not possible to verify the identity of
the server
As I understand it, the difference between mschapv1 and v2 is that
the server sends back an authentication response. Seems like that
handshake isn't working out? I know I've missed something somewhere. . .
radiusd -xX:
rad_recv: Access-Request packet from host 192.168.104.1 port 3873,
id=22, length=124
User-Name = rsteeves
MS-CHAP-Challenge = 0x68dd158c5082247cfe49fecd9520386a
MS-CHAP2-Response =
0x010005edd3135eca19372073504d57f8a4b3ab31aff8b876e703bb4141ddc19afff921f6a358cd80b94b
NAS-IP-Address = x.x.x.x
NAS-Port = 0
Wed Oct 13 14:50:57 2010 : Info: server server_vpn {
Wed Oct 13 14:50:57 2010 : Info: +- entering group authorize {...}
Wed Oct 13 14:50:57 2010 : Info: ++[preprocess] returns ok
Wed Oct 13 14:50:57 2010 : Info: [mschap] Found MS-CHAP
attributes. Setting 'Auth-Type = mschap'
Wed Oct 13 14:50:57 2010 : Info: ++[mschap] returns ok
Wed Oct 13 14:50:57 2010 : Debug: [ldap] Entering ldap_groupcmp()
Wed Oct 13 14:50:57 2010 : Info: [files]expand:
OU=Enterprise,DC=int,DC=example,DC=com -
OU=Enterprise,DC=int,DC=example,DC=com
Wed Oct 13 14:50:57 2010 : Info: [files]expand:
%{Stripped-User-Name} -
Wed Oct 13 14:50:57 2010 : Info: [files]... expanding second
conditional
Wed Oct 13 14:50:57 2010 : Info: [files]expand: %{User-Name}
- rsteeves
Wed Oct 13 14:50:57 2010 : Info: [files]expand:
((sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person))
- ((sAMAccountname=rsteeves)(objectClass=person))
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
((sAMAccountname=rsteeves)(objectClass=person))
Wed Oct 13 14:50:57 2010 : Error: [ldap] ldap_search() failed: LDAP
connection lost.
Wed Oct 13 14:50:57 2010 : Info: [ldap] Attempting reconnect
Wed Oct 13 14:50:57 2010 : Debug: [ldap] attempting LDAP reconnection
Wed Oct 13 14:50:57 2010 : Debug: [ldap] closing existing LDAP connection
Wed Oct 13 14:50:57 2010 : Debug: [ldap] (re)connect to
dc.int.example.com:389, authentication 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] bind as
CN=_UserID,OU=Service Accounts,OU=Special User
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I
to dc.int.example.com:389
Wed Oct 13 14:50:57 2010 : Debug: [ldap] waiting for bind result ...
Wed Oct 13 14:50:57 2010 : Debug: [ldap] Bind was successful
Wed Oct 13 14:50:57 2010 : Debug: [ldap] performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
((sAMAccountname=rsteeves)(objectClass=person))
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Oct 13 14:50:57 2010 : Info: [files]expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=CN\3dRick
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
((cn=VPN_Users)(|((objectClass=GroupOfNames)(member=CN\3dRick
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom
Wed Oct 13 14:50:57 2010 : Debug: [ldap] object not found
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug: [ldap] performing search in
CN=Rick
Steeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with
filter (objectclass=*)
Wed Oct 13 14:50:57 2010 : Debug: [ldap] performing search in
CN=VPN_Users,OU=Security
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
Wed Oct 13 14:50:57 2010 : Debug: rlm_ldap::ldap_groupcmp: User found
in group VPN_Users
Wed Oct 13 14:50:57 2010 :
Re: MSCHAP vs MSCHAPv2 for VPN
freerad...@corwyn.net wrote: Using freeradius 2.1.8, I have a sonicwall firewall that authenticates VPN users against the freeradius server. The VPN clients are the native MSFT VPN client. When the client is configured for L2TP, MS-CHAP, the client connects. When the client is configured for L2TP MSChapv2, the client fails to connect with an error It was not possible to verify the identity of the server ... Wed Oct 13 14:50:57 2010 : Debug: Exec-Program output: NT_KEY: DDE9BB9EA12ED17BE5F358CB53EE6A8F Change the version of Samba that you're using. 3.5.5 contains a fix which addresses this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP vs MSCHAPv2 for VPN
At 03:43 PM 10/13/2010, Alan DeKok wrote: Wed Oct 13 14:50:57 2010 : Debug: Exec-Program output: NT_KEY: DDE9BB9EA12ED17BE5F358CB53EE6A8F Change the version of Samba that you're using. 3.5.5 contains a fix which addresses this issue. Thanks Alan. That server is running samba3x-3.3.8-0.52.el5_5.2 , so that's quite useful! What's interesting is that I have found a server running samba3x-3.3.8-0.52.el5_5 (separate installation, same config files, also VPN sonicwall) which is not exhibiting this issue. Regardless, I'll go see about finding the new samba. Rick Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing mSchapv2 errors
Hi Alan, Got it working now , Thank You On Tue, Oct 12, 2010 at 5:39 PM, Bhanu Vegesna bhanu.vege...@gmail.comwrote: HI Alan, Thank you for you reply , i have user ctc and clartext passowrd mentioned in user files.I have the complete log at office i will send you once i reach office tomorrow morning On Tue, Oct 12, 2010 at 3:55 PM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote: Hi, PLease find below the complete server dump,facing some mschapv2 error no, its not the complete server dump...its the bit you've decided to send to us - which starts with the line ad_recv: Access-Request packet from host and not the whole output. server inner-tunnel files returns no-op you say the users are in local users file? this says otherwise. whats the users file look like? does it have the 'ctc' user in it? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
