I have a question about freeradius-client-1.1.6.
Hi, I download freeradius-client-1.1.6 from your website.Now,I have installed and configured the freeradius server 2.1.8 and freeradius-client-1.1.6 successfully. I use the mysql to store the user and I create a user whose username is test,Auth_Type is Local,Cleartext-Password is test. Then I run the command: #radtest test test lcoalhost 0 testing123 This can authorize successfully. But when I compile freeradius-client-1.1.6/src/radexample.c or run radlogin. #login:test #passoword:test This don't authorize successfully. When I see the server's display ,I find the password is encryped. What should I do? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMPS Problem with similar requests
Hi, If two vmps requests are sent in close succession (within cleanup_delay), with the same source port, from the same switch (which does in fact seem to be common, as the cisco switch I'm using for testing sends *all* requests with a source port picked on startup), they are detected as identical by freeradius as identical, even if they are for different mac addresses. This means the second request gets the same response as the first, even when they should be different. For example, testing with the vqpcli tool: Close together: server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bfe Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW then a short time later (outside cleanup_delay) server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: MAC Address: Status: DENY Which is the correct response Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
If a connection that comes in with a GROUP NAME from SQL of USUK-XX
or WUK-XX and I want to strip of the -XX, how would I do this with
ulang so I only validate the following?
Using the regexp feature, you can match part of an attribute then
reference it later, like so:
if (SQL-GROUP =~ /(.*)-XX/) {
update request {
SQL-GROUP := %{1}
}
}
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
The if statement can remain the same, add before it:
if (SQL-GROUP =~ /(.*)-.*/) {
update request {
SQL-GROUP := %{1}
}
}
This assumes that:
a) There is never a '-' in the USUK or whatever part.
b) You don't need to reference the original SQL-GROUP value.
If you do, you may want to use something like:
if (SQL-GROUP =~ /(.*)-.*/) {
update control {
Tmp-String-0 := %{1}
}
}
if(control:Tmp-String-0 == USUK) {
ok
}
etc.
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re:freeradius2.1.6 module errors
Wrong operator.
Use = or not :=
--Mike
On Thu, 2009-08-13 at 12:56 +0530, ramesh p wrote:
Hi,
Here is the full accounting section of sites-available/default
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use radlast, you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See Accounting queries in sql.conf
#sql
if(Acct-Status-Type := 'stop') {
sql
}
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
# Filter attributes from the accounting response.
attr_filter.accounting_response
#
# See Autz-Type Status-Server for how this works.
#
Acct-Type Status-Server {
}
}
Thanks,
Rams.
On 13/8/09 07:10, ramesh p wrote:
Though i have placed the code in sites-available/default
under accounting section:
if(Acct-Status-Type := 'stop'){
sql
Can you post the full section that you have added this to, if you have
only added just those 2 lines then you haven't closed the statement
off
with a }.
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP / mschapv2 Error Messages
Hi, Using the default eap/peap inner-tunnel configuration, a failure gives rise to this: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \nE=691 R=1 EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \nE=691 R=1 EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled How can I take that MS-Chap-Error attribute and pass it back in the final access-reject, as a Reply-Message attribute for example. Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / mschapv2 Error Messages
unlang? set a variable to the value of MS-CHAP-Error and then set the Reply-Message to be some text with that variable in it. Unfortunately, this sends it back in the next packet, which is an Access-Challenge, not in the final Access-Reject. Also, for some strange reason, the post-auth section in the inner-tunnel only gets called on a successful auth, not on a failure, so I can't output the failure to sql there either. alternatively you could probably call PERL pr pythin etc at the right time and do the required variable and reply-message settings with those languages instead howeverby sending such messages the remote user knows the reason for failure eg incorrect password but a successful user...and could bruteforce I plan to do something along the lines of: MS-Chap-Error=User wrong = login failed MS-Chap-Error=PAss wrong = login failed MS-Chap-Error=Account locked = Account locked --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.6 Segfault (unlang: if (NAS-Port == 0) { reject }
Hi,
Reproducible on 2.1.6, default config with:
These lines in the authorize section:
if (NAS-Port == 0) {
reject
}
And this command:
echo User-Name = test | radclient 10.252.24.114 auth testing123
An Access-Request packet not containing the NAS-Port Attribute causes the server
to segfault.
Cheers
--Mike
P.S.
Workaround: if (NAS-Port NAS-Port == 0) {
segfault-log
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
You get the same error in 2.1.0, or the configuration which worked in
2.1.0 doesn't work in 2.1.6?
My customized vmps server section works in 2.1.0.
Trying to use the same customized configuration in 2.1.6 gives the
error.
Using the default configuration - the
VMPS-VLAN-Name = please_use_real_vlan_here
one, works in 2.1.0
In 2.1.6, it returns the error.
Which shows that absolutely nothing is happening in the VMPS server.
Is there anything at all in the VMPS server?
Yes, the part to pull the mac address out of the ethernet frame, putting
it in the vmps-cookie, updating the reply with the vlan name /
packet-type - the default config.
On a clean machine I've just compiled 2.1.6, done minimal editing to
enable the vmps server (linked the vmps file into sites-enabled), and
i'm getting the same error.
Output with 2.1.0:
Vlan: please_use_real_vlan_here
MAC Address: 123412341234
Status: ALLOW
With 2.1.6:
Ready to process requests.
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 4660
VMPS-Client-IP-Address = 127.0.0.1
VMPS-Port-Name = Fa0/1
VMPS-VLAN-Name =
VMPS-Domain-Name =
VMPS-Unknown = 0x00
VMPS-MAC = 12:34:12:34:12:34
server vmps {
Doing VMPS
Done VMPS
} # server vmps
Failed encoding packet: Failed to find VQP-Packet-Type in response
packet
Finished request 0.
Full 2.1.6 log attached
Cheers
--Mike
FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Aug 9 2009 at
10:01:26
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Attached is the debug output from a ubuntu package of 2.1.0, with the
default config (I didn't see a 2.1.0 tarball on the site)
Also attached is the debug output from the 2.1.6 install (tarball from
site), again with the default config.
As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it
doesn't.
--Mike
On Sun, 2009-08-09 at 15:06 +0200, Alan DeKok wrote:
Michael Bryant wrote:
You get the same error in 2.1.0, or the configuration which worked in
2.1.0 doesn't work in 2.1.6?
My customized vmps server section works in 2.1.0.
Except that debug mode prints out what it is processing. And it's not
printing out anything in 2.1.6. That may be the source of the problem.
What does debug mode show for 2.1.0?
Output with 2.1.0:
Vlan: please_use_real_vlan_here
MAC Address: 123412341234
Status: ALLOW
Is that the debug output... or something else?
With 2.1.6:
Ready to process requests.
Which looks to be the debug output.
Compare apples to apples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 9 2008 at 13:24:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/vmps
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Hi,
Stock Freeradius version 2.1.6, compiled with dpkg-buildpackage.
Using default sites-avaialable/vmps virtual server.
Also using dynamic clients with clients in postgresql.
Getting this error on every VMPS request:
Failed encoding packet: Failed to find VQP-Packet-Type in response packet.
Using a customised sites-enabled/vmps file, pulling data from postgresql, which
was working in 2.1.0, I get the same error.
Any ideas as to why this error is occurring?
Cheers
--Mike
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = vmps
ipaddr = *
port = 1589
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on vmps address * port 1589 as server vmps
Listening on proxy address * port 1814
Ready to process requests.
server dynamic_client_server {
rlm_sql (sqllocal): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT nasname FROM nas WHERE nasname =
'127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 4
rlm_sql (sqllocal): Reserving sql socket id: 3
rlm_sql_postgresql: query: SELECT shortname FROM nas WHERE nasname =
'127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 3
rlm_sql (sqllocal): Reserving sql socket id: 2
rlm_sql_postgresql: query: SELECT secret FROM nas WHERE nasname = '127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 2
rlm_sql (sqllocal): Reserving sql socket id: 1
rlm_sql_postgresql: query: SELECT type FROM nas WHERE nasname = '127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 1
} # server dynamic_client_server
- Added client 127.0.0.1 with shared secret testing123
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 4660
VMPS-Client-IP-Address = 10.252.24.2
VMPS-Port-Name = Fa0/17
VMPS-VLAN-Name =
VMPS-Domain-Name = blah
VMPS-Unknown = 0x00
VMPS-MAC = 00:16:41:11:0b:ff
server vmps {
Doing VMPS
Done VMPS
} # server vmps
Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 4660 with timestamp +87
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
I'm confused, how can I use unlang halfway through the processing of the rlm_sql module? --Mike In message 4a65854f.4050...@deployingradius.com FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: Michael Bryant wrote: Hi, Using Freeradius 2.1.0 (debian package), with rlm_sql. I am trying to, in radcheck, set a value, which I can then compare against in radgroupcheck. It doesn't support that. When I try this, with a custom attribute in either raddb/dictionary , a VSA, or Tmp-String-* it seems to be appearing in the config items list, as opposed to the request one, so rlm_sql doesn't check against it. Any ideas how I can get this to work? Use unlang to copy attributes between lists. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
authorize {
update request {
Tmp-String=0 = %{sql:select ...}
}
sql
}
Unfortunately that's no use, as I understand it, redundant blocks aren't
supported in xlat?
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request Items, Config/control Items; rlm_sql
Hi, Using Freeradius 2.1.0 (debian package), with rlm_sql. I am trying to, in radcheck, set a value, which I can then compare against in radgroupcheck. When I try this, with a custom attribute in either raddb/dictionary , a VSA, or Tmp-String-* it seems to be appearing in the config items list, as opposed to the request one, so rlm_sql doesn't check against it. Any ideas how I can get this to work? Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Certificate Problem
To Dead6re,
I fixed it by copying the serial file again from the scripts directory
immediately after the root certificate was created, but before the client
certificate.
The first thing the CA.all does is remove all files from the demoCA
directory including the serial file.
Hope this helps.
Dead6re wrote:
Hello all,
Iam havea huge problem using CA.all to generate the certificates needed
for FreeRadius. I am currently using Fedora and my OpenSSL version is:
0.9.8b and has recently been updated.
Using configuration from /usr/local/ssl/openssl.cnf
./demoCA/serial: No such file or directory
error while loading serial number
17811:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('./demoCA/serial','r')
17811:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
cert-srv.p12 -clcerts -passin pass:my pass -passout pass:my pass
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:my pass
-passout pass:my pass
17813:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:150:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
17814:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
How do I fix this error?
Thanks, Dead6re
--
View this message in context:
http://www.nabble.com/FreeRadius-Certificate-Problem-tf3981133.html#a11314170
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, There are Event log errors in Application and System. Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: The specified user does not exist. Event ID 5719 - The system cannot log you on now because the domain name is not available. This would be expected because port security is preventing traffic. Since DOT1X is enabled on the Cisco switch port for the server, I need to authenticate against the RADIUS server which is sending credentials to my AD domain controller. Both the server and the radius server are on the same switch, so there are no firewall issues. The switch is an access switch uplinked to the core switch where the DC is located. All servers are in the same VLAN. I cannot decipher the meaning of the debug negotiations that are happening, but it looks like to me that there is some kind of default in the users file for 255.255.255.254 that is not the IP address of the server in question. Again, my question is if I need a USERS files, because I was reading that this file is not required for AD. Here is my USERS file. http://www.nabble.com/file/p11222403/users users Thanks, Bryant. tnt wrote: OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in the trusted root certificates. I was looking at another document that was putting chmod 0444 on the cert-clt.p12 and chmod 0400 on the cacert.pem. Then, chown to radius:users on both. Is that necessary? Thanks, Bryant. You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in Trusted Root and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11223473 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan,
Here is the output of the RADIUSD -X
[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
realm: format = prefix
realm: delimiter = \
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (ntdomain)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail:
Re: Need help with 802.1X authentication to Active Directory
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP Hi Ivan, Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying. The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA Are the scripts designed to create the client certificate for Windows 2003? Thanks, Bryant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11205301 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help with 802.1X authentication to Active Directory
I have FreeRadius setup as outlined by the Howto at this link.
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server.
All the *.conf files are configured as directed.
I have joined the radius server to the Active Directory domain and
configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to
authenticate.
Any Ideas?
Here is the output of RADIUSD -X
[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /dev/urandom
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated
Re: Need help with 802.1X authentication to Active Directory
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Here is the doc with the debug output at bottom. Bryant. tnt wrote: Uploaded it where? Debug output in your first message is just server startup. It hasn't recieved any packets. Check where is your NAS sending those requests. Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.nabble.com/file/p11144421/radius-auth.doc radius-auth.doc -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144421 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ...followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Ivan, Well in my EAP.Conf file, I have in the eap module a default_eap_type = peap and in my peap module the default_eap_type = mschapv2 Is that correct? tnt wrote: Have you read the bit of eap.conf titled: ! WARNINGS for Windows compatibility ! just above the peap module? Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11145180 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
