Re: eapol_test giving up and win-like error?

2012-01-18 Thread NdK 
Il 18/01/2012 15:25, Alan DeKok ha scritto:
> NdK wrote:
>> I think I'm near to correctly configure my server... but I incur in a
>> situation that IIUC should be related to win clients only: I get
> ...
>> message and *eapol_test* (run from a *linux* machine!) gives up after
>> about 10 seconds.
> 
>   Then read the error messages from eapol_test.  Why does it stop?  It
> should say.
That's eapol_test output. I changed my AD pass to 'testing123' just for
the time needed to test, so the values are the real ones.
I can't see any error, just a timeout...
There's a short delay before "EAPOL: startWhen --> 0" and a long one
just after.
If needed, I logged output of freeradius -X for this run, too (not
posted to avoid spamming the list too much -- nothing changed in its
config).

# eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz
-a 137.204.65.163
Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf'
Line: 4 - start of a new network block
key_mgmt: 0xd
proto: 0x3
group: 0x18
scan_ssid=1 (0x1)
mode=0 (0x0)
ssid - hexdump_ascii(len=8):
 41 4c 4d 41 57 49 46 49   ALMAWIFI
pairwise: 0x18
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00
00 00
password - hexdump_ascii(len=10):
 74 65 73 74 69 6e 67 31 32 33 testing123
identity - hexdump_ascii(len=23):
 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e   PERSONALE\diego.
 7a 75 63 63 61 74 6f  zuccato
phase2 - hexdump_ascii(len=15):
 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32  phase2=MSCHAPV2
ca_cert - hexdump_ascii(len=61):
 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65   /home/ndk/Docume
 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63   nti/Ufficio/CA/c
 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20   erts/Astronomia
 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74- Root CA.crt
Priority group 0
   id=0 ssid='ALMAWIFI'
Authentication server 137.204.65.163:1812
RADIUS local address: 137.204.65.96:45959
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=23):
 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e   PERSONALE\diego.
 7a 75 63 63 61 74 6f  zuccato
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=28)
TX EAP -> RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41
4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52
53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=154
   Attribute 1 (User-Name) length=25
  Value: 'PERSONALE\diego.zuccato'
   Attribute 4 (NAS-IP-Address) length=6
  Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
  Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
  Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
  Value: 19
   Attribute 77 (Connect-Info) length=24
  Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=30
  Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f
2e 7a 75 63 63 61 74 6f
   Attribute 80 (Message-Authenticator) length=18
  Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
   Attribute 79 (EAP-Message) length=24
  Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e
1b 55
   Attribute 80 (Message-Authenticator) length=18
  Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90
   Attribute 24 (State) length=18
  Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time

Re: How to return Filter-ID attribute value for the users in Active Directory?

2012-01-18 Thread Phil Mayers 

On 18/01/12 16:04, suggestme wrote:

There are different users under Staff, Administrators, Retirees, etc in
active directory as:

OU=Staff  OU=Administrators
OU=Retirees
CN=users  CN=users
CN=users


Ok, so you want to look at the "OU" in the DN.

The "ldap" module sets the value "Ldap-UserDN". You can match this. This 
is easiest in "unlang". For example, in sites-enabled/:


authorize {
  ...
  ldap

  # match the 2nd part of the DN with a regexp
  # e.g.
  # CN=foo,OU=bar,CN=com

  if (Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) {
# store the regexp match in the control list
update control {
  # This will be set to "bar"
  Tmp-String-1 := "%{1}"
}
  }
  ...
}

post-auth {
  # now, read the value of Tmp-String-1
  update reply {
Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}"
  }
}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to return Filter-ID attribute value for the users in Active Directory?

2012-01-18 Thread suggestme 
There are different users under Staff, Administrators, Retirees, etc in
active directory as:

OU=Staff  OU=Administrators 
 
OU=Retirees
CN=users  CN=users  

CN=users

I have to return the filterID value for staff users as:

Filter-Id := "Enterasys:version=1:policy=staff"

Also, filterID value for Administrators users as:

Filter-Id := "Enterasys:version=1:policy=Administrators"

similarly for others.

>
> If you want to return a different filter for different users, you will 
> obviously need some kind of lookup table from user->filter. That will 
> need to live somewhere.
>

How to do this? Can the lookup table be created inside Active Directory
using the attribute? If so, how to return that user's filter attribute value
that is created from Active Directory back to NAS again.


Thanks,

 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5155212.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to return Filter-ID attribute value for the users in Active Directory?

2012-01-18 Thread Phil Mayers 

On 18/01/12 14:55, suggestme IT wrote:


DEFAULT Ldap-Group == "Staff"
Filter-ID := "Enterasys:version=1:policy=staff",
Fall-Through = No

But, How to do same like this for the users in Active Directory; How to
return the Filter-ID attribute value if there is no group configured in
Active Directory; there is just users listings who can be authenticated
and authorized using the passwords provided.

The main point is: I don't have any Group configured as Ldap-Group for
staff or admin or for different types of users in Active Directory.


Do you want to return the same filter group for everyone?

If so, do this:

DEFAULT
Filter-Id := "value"

...or better, in the virtual server config:

post-auth {
  update reply {
Filter-Id := "value"
  }
}

If you want to return a different filter for different users, you will 
obviously need some kind of lookup table from user->filter. That will 
need to live somewhere.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to return Filter-ID attribute value for the users in Active Directory?

2012-01-18 Thread suggestme IT 

Hi, 

I am able to do authentication and authorization of the users that are in 
Active Directory after FreeRadius and Active Directory integration. I am now 
testing in real test environment with Enterasys product (Switch) in which 
Policy manager is already configured to assign different roles to different 
users. Depending upon the Filter-ID attribute value returned by FreeRadius, 
Enterasys switch decides what role can be assigned to the user. In my 
understanding I know there is the way to achieve this goal if we have 
Ldap-Group so that we can use as: 

DEFAULT Ldap-Group == "Staff" 
 Filter-ID :=  "Enterasys:version=1:policy=staff", 
 Fall-Through = No 

But, How to do same like this for the users in Active Directory; How to return 
the Filter-ID attribute value if there is no group configured in Active 
Directory; there is just users listings who can be authenticated and authorized 
using the passwords provided. 

The main point is: I don't have any Group configured as Ldap-Group for staff or 
admin or for different types of users in Active Directory. 

I would really appreciate if someone can give me the idea on this. 


Thanks, 

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Strange error in eapol_test

2012-01-18 Thread Phil Mayers 

On 17/01/12 16:24, Rui Ribeiro wrote:


Hi list,

Still setting up a freeradius for eduroam -- internally it is
working fine EAP, TTLS and al, however when proxying/connecting to
the eduroam, everything seems ok in freeradius logs, however,
eapol_test finishes with an error (WARNING: PMK mismatch -- MPPE keys
OK: 0 mismatch: 1 FAILURE).


I have seen this before, but I don't have the details to hand.

If I recall, I decided it's a bug in eapol_test related to calculating 
the MSCHAP response.


For usernames of the form "DOMAIN\user" all sides correctly removes the 
"DOMAIN\" before calculating the response.


For usernames of the form "user@domain", eapol_test seems to include the 
@domain when calculating the response.


At the server, it varies depending on whether you are using FreeRADIUS 
"internal" MSCHAP versus ntlm_auth.


Basically: ignore it. I think it's a bug in eapol_test.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

2012-01-18 Thread Alan DeKok 
NdK wrote:
> I think I'm near to correctly configure my server... but I incur in a
> situation that IIUC should be related to win clients only: I get
...
> message and *eapol_test* (run from a *linux* machine!) gives up after
> about 10 seconds.

  Then read the error messages from eapol_test.  Why does it stop?  It
should say.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eapol_test giving up and win-like error?

2012-01-18 Thread NdK 
Hi all.

I think I'm near to correctly configure my server... but I incur in a
situation that IIUC should be related to win clients only: I get
-8<--
WARNING:
!!
WARNING: !! EAP session for state 0x6ac8f8c260c3e171 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
-8<--
message and *eapol_test* (run from a *linux* machine!) gives up after
about 10 seconds.
I checked the FAQ, but couldn't find anything useful.
The certs I'm using are from internal CA (actually from an internal
intermediate CA, cert chain is certs/ca.pem and is 4.5k; root CA's
self-signed cert is pointed by ca_cert= in eapol_test's config file).

Server is a plain Debian Squeeze, plus SAMBA 3.5.6 and FreeRADIUS 2.1.10 .
Domain is correctly joined and winbindd is running.
I followed steps described in
http://deployingradius.com/documents/configuration/active_directory.html
(then noticed that the two references to ntlm_auth in authenticate
sections aren't needed for mschapv2: ntlm_auth gets called by mschap
module).

The complete output from freeradius -X is:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14
2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/passwd
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {