Re: eapol_test giving up and win-like error?
Il 18/01/2012 15:25, Alan DeKok ha scritto: > NdK wrote: >> I think I'm near to correctly configure my server... but I incur in a >> situation that IIUC should be related to win clients only: I get > ... >> message and *eapol_test* (run from a *linux* machine!) gives up after >> about 10 seconds. > > Then read the error messages from eapol_test. Why does it stop? It > should say. That's eapol_test output. I changed my AD pass to 'testing123' just for the time needed to test, so the values are the real ones. I can't see any error, just a timeout... There's a short delay before "EAPOL: startWhen --> 0" and a long one just after. If needed, I logged output of freeradius -X for this run, too (not posted to avoid spamming the list too much -- nothing changed in its config). # eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz -a 137.204.65.163 Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf' Line: 4 - start of a new network block key_mgmt: 0xd proto: 0x3 group: 0x18 scan_ssid=1 (0x1) mode=0 (0x0) ssid - hexdump_ascii(len=8): 41 4c 4d 41 57 49 46 49 ALMAWIFI pairwise: 0x18 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 password - hexdump_ascii(len=10): 74 65 73 74 69 6e 67 31 32 33 testing123 identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato phase2 - hexdump_ascii(len=15): 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32 phase2=MSCHAPV2 ca_cert - hexdump_ascii(len=61): 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65 /home/ndk/Docume 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63 nti/Ufficio/CA/c 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20 erts/Astronomia 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74- Root CA.crt Priority group 0 id=0 ssid='ALMAWIFI' Authentication server 137.204.65.163:1812 RADIUS local address: 137.204.65.96:45959 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=28) TX EAP -> RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=154 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=30 Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Attribute 80 (Message-Authenticator) length=18 Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e 1b 55 Attribute 80 (Message-Authenticator) length=18 Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time
Re: How to return Filter-ID attribute value for the users in Active Directory?
On 18/01/12 16:04, suggestme wrote: There are different users under Staff, Administrators, Retirees, etc in active directory as: OU=Staff OU=Administrators OU=Retirees CN=users CN=users CN=users Ok, so you want to look at the "OU" in the DN. The "ldap" module sets the value "Ldap-UserDN". You can match this. This is easiest in "unlang". For example, in sites-enabled/: authorize { ... ldap # match the 2nd part of the DN with a regexp # e.g. # CN=foo,OU=bar,CN=com if (Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) { # store the regexp match in the control list update control { # This will be set to "bar" Tmp-String-1 := "%{1}" } } ... } post-auth { # now, read the value of Tmp-String-1 update reply { Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
There are different users under Staff, Administrators, Retirees, etc in active directory as: OU=Staff OU=Administrators OU=Retirees CN=users CN=users CN=users I have to return the filterID value for staff users as: Filter-Id := "Enterasys:version=1:policy=staff" Also, filterID value for Administrators users as: Filter-Id := "Enterasys:version=1:policy=Administrators" similarly for others. > > If you want to return a different filter for different users, you will > obviously need some kind of lookup table from user->filter. That will > need to live somewhere. > How to do this? Can the lookup table be created inside Active Directory using the attribute? If so, how to return that user's filter attribute value that is created from Active Directory back to NAS again. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5155212.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
On 18/01/12 14:55, suggestme IT wrote: DEFAULT Ldap-Group == "Staff" Filter-ID := "Enterasys:version=1:policy=staff", Fall-Through = No But, How to do same like this for the users in Active Directory; How to return the Filter-ID attribute value if there is no group configured in Active Directory; there is just users listings who can be authenticated and authorized using the passwords provided. The main point is: I don't have any Group configured as Ldap-Group for staff or admin or for different types of users in Active Directory. Do you want to return the same filter group for everyone? If so, do this: DEFAULT Filter-Id := "value" ...or better, in the virtual server config: post-auth { update reply { Filter-Id := "value" } } If you want to return a different filter for different users, you will obviously need some kind of lookup table from user->filter. That will need to live somewhere. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return Filter-ID attribute value for the users in Active Directory?
Hi, I am able to do authentication and authorization of the users that are in Active Directory after FreeRadius and Active Directory integration. I am now testing in real test environment with Enterasys product (Switch) in which Policy manager is already configured to assign different roles to different users. Depending upon the Filter-ID attribute value returned by FreeRadius, Enterasys switch decides what role can be assigned to the user. In my understanding I know there is the way to achieve this goal if we have Ldap-Group so that we can use as: DEFAULT Ldap-Group == "Staff" Filter-ID := "Enterasys:version=1:policy=staff", Fall-Through = No But, How to do same like this for the users in Active Directory; How to return the Filter-ID attribute value if there is no group configured in Active Directory; there is just users listings who can be authenticated and authorized using the passwords provided. The main point is: I don't have any Group configured as Ldap-Group for staff or admin or for different types of users in Active Directory. I would really appreciate if someone can give me the idea on this. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange error in eapol_test
On 17/01/12 16:24, Rui Ribeiro wrote: Hi list, Still setting up a freeradius for eduroam -- internally it is working fine EAP, TTLS and al, however when proxying/connecting to the eduroam, everything seems ok in freeradius logs, however, eapol_test finishes with an error (WARNING: PMK mismatch -- MPPE keys OK: 0 mismatch: 1 FAILURE). I have seen this before, but I don't have the details to hand. If I recall, I decided it's a bug in eapol_test related to calculating the MSCHAP response. For usernames of the form "DOMAIN\user" all sides correctly removes the "DOMAIN\" before calculating the response. For usernames of the form "user@domain", eapol_test seems to include the @domain when calculating the response. At the server, it varies depending on whether you are using FreeRADIUS "internal" MSCHAP versus ntlm_auth. Basically: ignore it. I think it's a bug in eapol_test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
NdK wrote: > I think I'm near to correctly configure my server... but I incur in a > situation that IIUC should be related to win clients only: I get ... > message and *eapol_test* (run from a *linux* machine!) gives up after > about 10 seconds. Then read the error messages from eapol_test. Why does it stop? It should say. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eapol_test giving up and win-like error?
Hi all. I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get -8<-- WARNING: !! WARNING: !! EAP session for state 0x6ac8f8c260c3e171 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! -8<-- message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. I checked the FAQ, but couldn't find anything useful. The certs I'm using are from internal CA (actually from an internal intermediate CA, cert chain is certs/ca.pem and is 4.5k; root CA's self-signed cert is pointed by ca_cert= in eapol_test's config file). Server is a plain Debian Squeeze, plus SAMBA 3.5.6 and FreeRADIUS 2.1.10 . Domain is correctly joined and winbindd is running. I followed steps described in http://deployingradius.com/documents/configuration/active_directory.html (then noticed that the two references to ntlm_auth in authenticate sections aren't needed for mschapv2: ntlm_auth gets called by mschap module). The complete output from freeradius -X is: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main {