Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hey everyone !
I'm trying to configure a FreeRadius server that authenticates with MSCHAPv2
with an Active Directory 2008.
It's my fisrt radius install so go easy with me, I'm a noob :)
I've followed the following howto :
http://deployingradius.com/documents/configuration/active_directory.html
and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is
correctly authentified.
I'm no trying to connect a Windows 7 supplicant using that radius server.
(That client is configured to use Microsoft : Protected EAP (PEAP),
validate server certificate is unchecked and the authentication is on
secured password (EAP-MSCHAPv2).
The problem seems to be that my client stops answering after 4-5
Access-Challenge. I saw the remarks about the xpextensions of the
certificats and make sure that the included makefile correctly uses the
xpextensions wich it seems to be doing.
The full debug is here : http://pastebin.com/B86AgN1N
It's seems that mschap correctly authentifies the user :
Fri Mar 18 09:51:31 2011 : Info: +- entering group authenticate {...}
Fri Mar 18 09:51:31 2011 : Info: [eap] Request found, released from the list
Fri Mar 18 09:51:31 2011 : Info: [eap] EAP/mschapv2
Fri Mar 18 09:51:31 2011 : Info: [eap] processing type mschapv2
Fri Mar 18 09:51:31 2011 : Info: [mschapv2] +- entering group MS-CHAP {...}
Fri Mar 18 09:51:31 2011 : Info: [mschap] Told to do MS-CHAPv2 for
gchavepeyer with NT-Password
Fri Mar 18 09:51:31 2011 : Info: [mschap] No NT-Domain was found in the
User-Name.
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--domain=%{mschap:NT-Domain:-EUROPE} - --domain=EUROPE
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--username=%{mschap:User-Name} - --username=gchavepeyer
Fri Mar 18 09:51:31 2011 : Info: [mschap] mschap2: 5c
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} - --challenge=82d538878ea2db35
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} -
--nt-response=555bd723d3058e951670b77a443550a83f4eab5af5124f1f
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program output: NT_KEY:
99DC7FD7D0C603D05D96779E61DF89AF
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program-Wait: plaintext: NT_KEY:
99DC7FD7D0C603D05D96779E61DF89AF
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program: returned: 0
Fri Mar 18 09:51:31 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Fri Mar 18 09:51:31 2011 : Info: ++[mschap] returns ok
Fri Mar 18 09:51:31 2011 : Debug: MSCHAP Success
Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled
} # server inner-tunnel
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply code 11
EAP-Message =
0x011400331a0313002e533d4644354536323645394645383839333042323031364339453731463231323146443337303836
Message-Authenticator = 0x
State = 0x3cafd11f3dbbcb7c3fe5efc8d331
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x011400331a0313002e533d4644354536323645394645383839333042323031364339453731463231323146443337303836
Message-Authenticator = 0x
State = 0x3cafd11f3dbbcb7c3fe5efc8d331
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled Access-Challenge
Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 29 to 10.32.25.204 port 32768
EAP-Message =
0x0114005b19001703010050efa71e4179b8bba7065b53e5c07cc774ffa8494adc0cd61c810e10ea5af21f52ac755a7f7a908b1c6898ac8039096320bf270f4ff208b22559eb7111f6c2e4412eaad47c33a4e151d5ad626af368c991
Message-Authenticator = 0x
State = 0x11c1c21a16d5dba84c633101b1a44bc3
Fri Mar 18 09:51:31 2011 : Info: Finished request 7.
Fri Mar 18 09:51:31 2011 : Debug: Going to the next request
Fri Mar 18 09:51:31 2011 : Debug: Waking up in 4.8 seconds.
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 0 ID 22 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 1 ID 23 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 2 ID 24 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 3 ID 25 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 4 ID 26 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Debug: Waking up in 0.1 seconds.
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 5 ID 27 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 6 ID 28 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 7 ID 29 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Debug: Ready to process requests.
The server send an Access-Challenge (instead of a Access-Accept ?) again but
the client never answers back and the client gets a unable to connect to
Can someone please help me with this ? (All my configuration is visible in
the first debug lines but if needed i can post the content of any file.)
Thanks a lot
Re: Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hi, I've followed the following howto : [1]http://deployingradius.com/documents/configuration/active_directory.html and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified. my first question is why so old a version of FreeRADIUS is you are only just starting out? 2.1.10 has a LOT of bug fixes compared to the very old 2.1.7 version...dated 14 September 2009, 2.1.7 came out before Windows 7 (*) Win7 is also VERY fussy about certs.have you installed the CA cert that your RADIUS server is signed with i know you havent ticked the validate button..but Win7 is fussy(!) alan (*) release to manufaturing was july 2009, release to retail was oct 2009 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) Re: Seg Fault - radius 3.0 Debug
Hello,
I finally solved my issue. It was a problem of linking mysql libs.
I'm sorry . Apologies to all
but.. Maybe variables have changed but since 3.0 version the variable
%{Huntgroup-Name}
is no more recognized.
tested on version 2.1.11 - Works perfectly
Any ideas ?
Thanks
--- Forwarded message follows ---
Date sent: Thu, 17 Mar 2011 21:20:20 +
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
To: nicolas.bre...@belcenter.biz
nicolas.bre...@belcenter.biz,
FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject:Re: Seg Fault - radius 3.0 Debug
Hi,
Here is my debug file with gbd on the seg fault
[Thread debugging using libthread_db enabled]
[New Thread 0x7600b700 (LWP 23433)]
[Thread 0x7600b700 (LWP 23433) exited]
Program received signal SIGSEGV, Segmentation fault.
0x76032890 in mysql_field_count () from
/usr/lib64/mysql/libmysqlclient_r.so.16
Missing separate debuginfos, use: debuginfo-install
glibc-2.13-1.x86_64
suggest you follow the information given to get more debugging info
out
alan
--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco and Enterasys not active access to Authenticated User
Hello everyone, I have a scenario that is configured to access active Linux, Cisco and Enterasys for when using Cisco VPN can not authenticate in assets. Only works when it is turned off *Filter-ID == Enterasys: version = 1: mgmt = rw *. Is there any way to configure and access the assets? Follow the example set : *FreeRADIUS Version 2.0.4* example_user Auth-Type := LDAP Service-Type = Shell-User, Cisco-AVPair = shell:priv-lvl=15, Cisco-AVPair = shell:cmd*, Filter-ID == Enterasys:version=1:mgmt=rw -- Thanks, Fabricio Oliveira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Fwd) Re: Seg Fault - radius 3.0 Debug
Breuer Nicolas wrote:
but.. Maybe variables have changed but since 3.0 version the variable
%{Huntgroup-Name}
is no more recognized.
It should work. The git master branch hasn't changed any of that
functionality.
And (as always) what does debug mode say?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and Enterasys not active access to Authenticated User
Hi, Hello everyone, I have a scenario that is configured to access active Linux, Cisco and Enterasys for when using Cisco VPN can not authenticate in assets. Only works when it is turned off Filter-ID == Enterasys: version = 1: mgmt = rw . Is there any way to configure and access the assets? Follow the example set : FreeRADIUS Version 2.0.4 example_user�� Auth-Type := LDAP Service-Type = Shell-User, � Cisco-AVPair = shell:priv-lvl=15, � Cisco-AVPair = shell:cmd*, �� Filter-ID == Enterasys:version=1:mgmt=rw easy way no.1: create another users entry with a fall-through allowed which basically requires the Cisco kit as a NAS-IP-Address eg example_user Auth-Type := LDAP, NAS-IP-Address == xxx.xxx.xxx.xxx Service-Type = Shell-User, Cisco-AVPair = shell:priv-lvl=15, Cisco-AVPair = shell:cmd*, where xxx.xxx.xxx.xxx is the NAS-IP-Address of your cisco kit. if you want a basic easy way no.2 , then dont use NAS-IP-Address, use a huntgroup and define your cisco NAS kit in the huntgroups instead (easy way to have lots of IP addresses for those devices) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) (Fwd) Re: Seg Fault - radius 3.0 Debug
The debug mode said anything - No errors.
My variable is in the SQLIPPOOL.conf file and called with %{Huntgroup-Name}
No values were returned.
With 2.1.11 - Same directory, dic files, etc , i have a value.
--- Forwarded message follows ---
Breuer Nicolas wrote:
but.. Maybe variables have changed but since 3.0 version the variable
%{Huntgroup-Name}
is no more recognized.
It should work. The git master branch hasn't changed any of that
functionality.
And (as always) what does debug mode say?
Alan DeKok.
--- Forwarded message follows ---
From: Breuer Nicolas nicolas.bre...@belcenter.biz
To: freeradius-users@lists.freeradius.org
Subject:(Fwd) Re: Seg Fault - radius 3.0 Debug
Date sent: Fri, 18 Mar 2011 12:45:23 +0100
Hello,
I finally solved my issue. It was a problem of linking mysql libs.
I'm sorry . Apologies to all
but.. Maybe variables have changed but since 3.0 version the variable
%{Huntgroup-Name}
is no more recognized.
tested on version 2.1.11 - Works perfectly
Any ideas ?
Thanks
--- Forwarded message follows ---
Date sent: Thu, 17 Mar 2011 21:20:20 +
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
To: nicolas.bre...@belcenter.biz nicolas.bre...@belcenter.biz,
FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Seg Fault - radius 3.0 Debug
Hi,
Here is my debug file with gbd on the seg fault
[Thread debugging using libthread_db enabled]
[New Thread 0x7600b700 (LWP 23433)]
[Thread 0x7600b700 (LWP 23433) exited]
Program received signal SIGSEGV, Segmentation fault.
0x76032890 in mysql_field_count () from
/usr/lib64/mysql/libmysqlclient_r.so.16
Missing separate debuginfos, use: debuginfo-install
glibc-2.13-1.x86_64
suggest you follow the information given to get more debugging info
out
alan
--- End of forwarded message ---
--- End of forwarded message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Fwd) (Fwd) Re: Seg Fault - radius 3.0 Debug
Breuer Nicolas wrote: The debug mode said anything - No errors. Then I guess there are no problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl dynamic expansion in unlang?
Hi,
Is there an example for dynamic expansion with perl in unlang?
Something like this, but using perl instead of regex and SQL:
if (%{request:User-Name} =~ /^(.*)@/) {
update reply {
Reply-Message := %{sql:select(concat('Stripped-User-Name:
','%{1}',', random value: ',rand()))}
}
}
On a side note, in RHEL6's freeradius-perl RPM, rlm_perl is unusable:
Can't load '/usr/lib64/perl5/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib64/perl5/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib64/perl5/XSLoader.pm line 70.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl dynamic expansion in unlang?
On 03/18/2011 12:39 PM, Fajar A. Nugraha wrote: On a side note, in RHEL6's freeradius-perl RPM, rlm_perl is unusable: Can't load '/usr/lib64/perl5/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib64/perl5/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib64/perl5/XSLoader.pm line 70. Not sure, but this sounds like the same issue discussed here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416266 Please file a bug report at bugzilla.redhat.com Thank you -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius2
Hey all, is there any good resources on how to actually use Freeradius2 once its installed? I have it running along with CoovaChilli as my captive portal, and daloRADIUS for the GUI (As i wil have people inputting users that have no idea about how to use command..). My problem is this: we have clients that are people in teh ir houses that connect to our wireless network, COoca login page appears and they login with the username and password that i input into daloRADIUS. I have a few clients that are small Lan Houses that want to use our system, but i am unsure if i can have them not need to login through the CoovaChilli portal, and they just get authenticated via MAC address of their Antenna? I can't find any good documentation on how to do anything with Freeradius. Thanks in Advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Okay folks, I appreciate the help. Already managed to solve. Basically there were two details, the first was as the supplicant was trying to authenticate, it was either use MSCHAPv2, but the passwords were encrypted at the base with MD5, just like CHAP authentication would not work . By forcing the supplicant to use TTLS + PAP, the authentication worked. I thank you all. 2011/3/17 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. no...it works - but you havent got the 'sql' module enabled in the inner-tunnel (which is where the server goes to when its doing EAP) put sql into the inner-tunnel virtual-server and then the password will be exposed in the EAP tunnel...et voila, it will work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius2
Dude, you are SO gonna get flamed - put your flame suit on! Hopefully Mr. DeKok is in a good mood! ;-) So you want some users to auth with username/passwd; and others with MAC or some other means? There's been numerous posts about similar requirements, plus: Man unlang, man radiusd, etc. Also, some good info and examples embedded in the various config files and samples in the various dirs. Also wiki's... And I think. www.supportingradius.org? Not sure on the url. Dig around a bit and you'll find a $hit load of doc, and probably some good examples of others that did exactly what you want. - Original Message - From: Luke Hammond [mailto:l...@dezignbrasil.com] Sent: Friday, March 18, 2011 03:24 PM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Using Freeradius2 Hey all, is there any good resources on how to actually use Freeradius2 once its installed? I have it running along with CoovaChilli as my captive portal, and daloRADIUS for the GUI (As i wil have people inputting users that have no idea about how to use command..). My problem is this: we have clients that are people in teh ir houses that connect to our wireless network, COoca login page appears and they login with the username and password that i input into daloRADIUS. I have a few clients that are small Lan Houses that want to use our system, but i am unsure if i can have them not need to login through the CoovaChilli portal, and they just get authenticated via MAC address of their Antenna? I can't find any good documentation on how to do anything with Freeradius. Thanks in Advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius2
Hey thanks for the reply.. Probably should have mentioned that i know pretty much nothing about Linux, apart from using with a GUI.. Yes what you said is right, would like some people login with username/password, and some qith MAC. Ill take a look at some of those things you mentioned. Thanks. On 18/03/2011 9:19 PM, Gary Gatten wrote: Dude, you are SO gonna get flamed - put your flame suit on! Hopefully Mr. DeKok is in a good mood! ;-) So you want some users to auth with username/passwd; and others with MAC or some other means? There's been numerous posts about similar requirements, plus: Man unlang, man radiusd, etc. Also, some good info and examples embedded in the various config files and samples in the various dirs. Also wiki's... And I think. www.supportingradius.org? Not sure on the url. Dig around a bit and you'll find a $hit load of doc, and probably some good examples of others that did exactly what you want. - Original Message - From: Luke Hammond [mailto:l...@dezignbrasil.com] Sent: Friday, March 18, 2011 03:24 PM To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Subject: Using Freeradius2 Hey all, is there any good resources on how to actually use Freeradius2 once its installed? I have it running along with CoovaChilli as my captive portal, and daloRADIUS for the GUI (As i wil have people inputting users that have no idea about how to use command..). My problem is this: we have clients that are people in teh ir houses that connect to our wireless network, COoca login page appears and they login with the username and password that i input into daloRADIUS. I have a few clients that are small Lan Houses that want to use our system, but i am unsure if i can have them not need to login through the CoovaChilli portal, and they just get authenticated via MAC address of their Antenna? I can't find any good documentation on how to do anything with Freeradius. Thanks in Advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
