Re: Freeradius doesn't detect EAP when authenticating against MySQL
Phil Mayers wrote: Sigh. Don't set the Auth-Type AT ALL. The only legitimate uses are: * setting it to Accept for PAP requests * setting it to Reject * setting it to the name of a specific instance where there are >1 of the same type of auth module with different configs (e.g. 2 different LDAPs or 2 different mschap) The "eap" module will itself detect the request is eap and (assuming the server is configured correctly, as it is by default) set the Auth-Type. By forcing it manually, you are guaranteeing that certain authentication configurations will fail. I know all this now, I didn't before. I set this server up a while back to handle my cisco device logins, I can't remember why I'd put that in radgroupcheck. It's not removed. and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP. Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue? I don't know why you're returning: Cisco-AVPair = "shell:priv-lvl=15" Service-Type = Administrative-User ...to an access point EAP session; neither make any sense, and I suppose could be mucking things up, but most likely the problem lies with the supplicant rather than the AP. It may not like the SSL server certificate, though from what I can see it's not getting that far. Is the supplicant configured to do EAP-TLS? I'm returning these because, as above, I want to use the same credentials as those that I use for logging into my cisco routers, and I want to pass those attributes when I log into a router. It's true they could be confusing things for the AP, but is there a way to not return them when the auth type is detected as EAP? Or do I have to use a completely different set of credentials? It's apparent you've done a serious amount of fiddling with the default configs. I suggest doing a default/clean install, and starting from the most basic - a user in the "users" file: usernameCleartext-Password := "foobar" Check if they can authenticate. Then setup the sql module, put the above AND ONLY THE ABOVE entries in the database, and test again. Making once change at a time will allow you to pin down the problem; at the moment, there are lots of things it *could* be. I will do this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
[EMAIL PROTECTED] wrote: Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck. Ivan Kalik Kalik Informatika ISP I feel really stupid now. It was sitting there in radgroupcheck setting the auth-type to local. ARGH. Ok, regroup. The new output is in the same place as before (http://public.growse.com/radiusd.log) - it sets the auth-type to EAP and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP. Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue? Thanks for everyone's help so far. Andrew Dana 16/9/2007, "Andrew Rowson" <[EMAIL PROTECTED]> piše: Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Alan DeKok wrote: Andrew Rowson wrote: The database contains Cleartext-Password == password. I've tried it with :=, but if I remember correctly that fails as well, Use := for Cleartext-Password. My radcheck table is now looking like this: +++++---+ | id | UserName | Attribute | op | Value | +++++---+ | 1 | growse | Cleartext-Password | := | password1 | with the Auth-type being set to local again. I'll see if I can get a log of that failure as well, if it'd be helpful? No. Upgrade to 1.1.7, I think it solves this problem. Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andrew Rowson wrote: >> Looking over it, it seems that a problem comes up with the MSCHAP bit: >> >> rlm_mschap: No User-Password configured. Cannot create LM-Password. >> rlm_mschap: No User-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password >> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect >> modcall[authenticate]: module "mschap" returns reject for request 14 >> >> This appears to imply that there's no User-Password entry found anywhere >> for the user in the database. This would be correct, as the attribute in >> the radcheck table is set to Cleartext-Password. Anything other than >> Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, >> but Local instead, going back to my original problem. > > What does the database contain? Cleartext-Password == password, > or Cleartext-Password := password ? > The database contains Cleartext-Password == password. I've tried it with :=, but if I remember correctly that fails as well, with the Auth-type being set to local again. I'll see if I can get a log of that failure as well, if it'd be helpful? Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Alan DeKok wrote: Andrew Rowson wrote: Ok, I updated the radcheck table in mysql so that the atttibute read "Cleartext-Password". I now get a different result when trying to log in from the wlan: ... rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. Please post the *previous* debug messages, which indicate *why* the user was rejected. A complete output dump from freeradius is quite long, so I've hosted it at http://public.growse.com/radiusd.log Looking over it, it seems that a problem comes up with the MSCHAP bit: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14 This appears to imply that there's no User-Password entry found anywhere for the user in the database. This would be correct, as the attribute in the radcheck table is set to Cleartext-Password. Anything other than Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, but Local instead, going back to my original problem. Andrew Also, my cisco device logins have now broken since updating this attribute, I'm guessing because the sql module can't authenticate the user against the db? No. The SQL module doesn't authenticate users. Again, read the *entire* debug log to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
[EMAIL PROTECTED] wrote: Read the documentation (wiki, users file). For 1.1.6. you should be using Cleartext-Password attribute. Ok, I updated the radcheck table in mysql so that the atttibute read "Cleartext-Password". I now get a different result when trying to log in from the wlan: rlm_sql (sql): No matching entry in the database for request from user [growse] modcall[authorize]: module "sql" returns notfound for request 7 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [growse] (from client wlan port 34 cli 000e35bd8c13) For some reason, sql is now returning "not found", presumably because it's looking for the "Password" attribute and doesn't understand "Cleartext-Password" (just guessing here). However, the correct auth-type is now set, although it rejects the user. Is it rejecting because the sql module returned notfound? Also, my cisco device logins have now broken since updating this attribute, I'm guessing because the sql module can't authenticate the user against the db? Thanks, Andrew Dana 8/9/2007, "Andrew Rowson" <[EMAIL PROTECTED]> piše: [EMAIL PROTECTED] wrote: users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local What is that DEFAULT entry? Is Auth-Type Local coming from there? Or do you have in the database? It had to come from somewhere. The DEFAULT entry in the users is for an auth-type of System. There's nothing in the DB that specifies an auth-type. And what Freeradius version are you using? User-Password should not be used in recent server versions. Freeradius version is 1.1.6. What do you mean about User-Password shouldn't be used? Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
[EMAIL PROTECTED] wrote: users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local What is that DEFAULT entry? Is Auth-Type Local coming from there? Or do you have in the database? It had to come from somewhere. The DEFAULT entry in the users is for an auth-type of System. There's nothing in the DB that specifies an auth-type. And what Freeradius version are you using? User-Password should not be used in recent server versions. Freeradius version is 1.1.6. What do you mean about User-Password shouldn't be used? Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius doesn't detect EAP when authenticating against MySQL
Hi, I'm trying to use my existing freeradius server and mysql database to add 802.1X PEAP functionality to my wireless network. Currently, it works great authenticating my cisco device logins. However, after setting the peap stuff up, when I try to log in with a user on the wireless, it -seems to get the wrong auth-type, and fails. Here's what happens: > rad_recv: Access-Request packet from host 192.168.1.10:2050, id=0, length=125 > User-Name = "growse" > NAS-IP-Address = 192.168.1.10 > Called-Station-Id = "0016b6edfe1b" > Calling-Station-Id = "000e35bd8c13" > NAS-Identifier = "0016b6edfe1b" > NAS-Port = 34 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > EAP-Message = > Message-Authenticator = > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "growse", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: EAP packet type response id 0 length 11 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 0 > radius_xlat: 'growse' > rlm_sql (sql): sql_set_user escaped user --> 'growse' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'growse' ORDER BY id' > rlm_sql (sql): Reserving sql socket id: 4 > radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'growse' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'growse' ORDER BY id' > radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'growse' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' > rlm_sql (sql): Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok for request 0 > users: Matched entry DEFAULT at line 155 > modcall[authorize]: module "files" returns ok for request 0 > modcall: leaving group authorize (returns updated) for request 0 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No User-Password or CHAP-Password attribute in the request > auth: Failed to validate the user. > Login incorrect: [growse] (from client wlan port 34 cli 000e35bd8c13) However, if I put something like: "testuser" Auth-Type = EAP, User-Password := "test" in the users file and use the test credentials on the wireless client, it works fine. I've read a bunch of things saying that the Auth-Type aatribute shouldn't need to be set and that it should figure out that it's EAP by itself. However when using the sql db as a credentials store it can't seem to figure out that it's an EAP request. Any ideas how to fix this? Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html