I have a question about freeradius-client-1.1.6.
Hi, I download freeradius-client-1.1.6 from your website.Now,I have installed and configured the freeradius server 2.1.8 and freeradius-client-1.1.6 successfully. I use the mysql to store the user and I create a user whose username is test,Auth_Type is Local,Cleartext-Password is test. Then I run the command: #radtest test test lcoalhost 0 testing123 This can authorize successfully. But when I compile freeradius-client-1.1.6/src/radexample.c or run radlogin. #login:test #passoword:test This don't authorize successfully. When I see the server's display ,I find the password is encryped. What should I do? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMPS Problem with similar requests
Hi, If two vmps requests are sent in close succession (within cleanup_delay), with the same source port, from the same switch (which does in fact seem to be common, as the cisco switch I'm using for testing sends *all* requests with a source port picked on startup), they are detected as identical by freeradius as identical, even if they are for different mac addresses. This means the second request gets the same response as the first, even when they should be different. For example, testing with the vqpcli tool: Close together: server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bfe Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW then a short time later (outside cleanup_delay) server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: MAC Address: Status: DENY Which is the correct response Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
If a connection that comes in with a GROUP NAME from SQL of USUK-XX or WUK-XX and I want to strip of the -XX, how would I do this with ulang so I only validate the following? Using the regexp feature, you can match part of an attribute then reference it later, like so: if (SQL-GROUP =~ /(.*)-XX/) { update request { SQL-GROUP := %{1} } } --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
The if statement can remain the same, add before it: if (SQL-GROUP =~ /(.*)-.*/) { update request { SQL-GROUP := %{1} } } This assumes that: a) There is never a '-' in the USUK or whatever part. b) You don't need to reference the original SQL-GROUP value. If you do, you may want to use something like: if (SQL-GROUP =~ /(.*)-.*/) { update control { Tmp-String-0 := %{1} } } if(control:Tmp-String-0 == USUK) { ok } etc. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re:freeradius2.1.6 module errors
Wrong operator. Use = or not := --Mike On Thu, 2009-08-13 at 12:56 +0530, ramesh p wrote: Hi, Here is the full accounting section of sites-available/default accounting { # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily # Update the wtmp file # # If you don't use radlast, you can delete this line. unix # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool # # Log traffic to an SQL database. # # See Accounting queries in sql.conf #sql if(Acct-Status-Type := 'stop') { sql } # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # Cisco VoIP specific bulk accounting # pgsql-voip # Filter attributes from the accounting response. attr_filter.accounting_response # # See Autz-Type Status-Server for how this works. # Acct-Type Status-Server { } } Thanks, Rams. On 13/8/09 07:10, ramesh p wrote: Though i have placed the code in sites-available/default under accounting section: if(Acct-Status-Type := 'stop'){ sql Can you post the full section that you have added this to, if you have only added just those 2 lines then you haven't closed the statement off with a }. Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP / mschapv2 Error Messages
Hi, Using the default eap/peap inner-tunnel configuration, a failure gives rise to this: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \nE=691 R=1 EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \nE=691 R=1 EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled How can I take that MS-Chap-Error attribute and pass it back in the final access-reject, as a Reply-Message attribute for example. Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / mschapv2 Error Messages
unlang? set a variable to the value of MS-CHAP-Error and then set the Reply-Message to be some text with that variable in it. Unfortunately, this sends it back in the next packet, which is an Access-Challenge, not in the final Access-Reject. Also, for some strange reason, the post-auth section in the inner-tunnel only gets called on a successful auth, not on a failure, so I can't output the failure to sql there either. alternatively you could probably call PERL pr pythin etc at the right time and do the required variable and reply-message settings with those languages instead howeverby sending such messages the remote user knows the reason for failure eg incorrect password but a successful user...and could bruteforce I plan to do something along the lines of: MS-Chap-Error=User wrong = login failed MS-Chap-Error=PAss wrong = login failed MS-Chap-Error=Account locked = Account locked --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.6 Segfault (unlang: if (NAS-Port == 0) { reject }
Hi, Reproducible on 2.1.6, default config with: These lines in the authorize section: if (NAS-Port == 0) { reject } And this command: echo User-Name = test | radclient 10.252.24.114 auth testing123 An Access-Request packet not containing the NAS-Port Attribute causes the server to segfault. Cheers --Mike P.S. Workaround: if (NAS-Port NAS-Port == 0) { segfault-log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
You get the same error in 2.1.0, or the configuration which worked in 2.1.0 doesn't work in 2.1.6? My customized vmps server section works in 2.1.0. Trying to use the same customized configuration in 2.1.6 gives the error. Using the default configuration - the VMPS-VLAN-Name = please_use_real_vlan_here one, works in 2.1.0 In 2.1.6, it returns the error. Which shows that absolutely nothing is happening in the VMPS server. Is there anything at all in the VMPS server? Yes, the part to pull the mac address out of the ethernet frame, putting it in the vmps-cookie, updating the reply with the vlan name / packet-type - the default config. On a clean machine I've just compiled 2.1.6, done minimal editing to enable the vmps server (linked the vmps file into sites-enabled), and i'm getting the same error. Output with 2.1.0: Vlan: please_use_real_vlan_here MAC Address: 123412341234 Status: ALLOW With 2.1.6: Ready to process requests. VMPS-Packet-Type = VMPS-Join-Request VMPS-Error-Code = VMPS-No-Error VMPS-Sequence-Number = 4660 VMPS-Client-IP-Address = 127.0.0.1 VMPS-Port-Name = Fa0/1 VMPS-VLAN-Name = VMPS-Domain-Name = VMPS-Unknown = 0x00 VMPS-MAC = 12:34:12:34:12:34 server vmps { Doing VMPS Done VMPS } # server vmps Failed encoding packet: Failed to find VQP-Packet-Type in response packet Finished request 0. Full 2.1.6 log attached Cheers --Mike FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Aug 9 2009 at 10:01:26 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration file
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Attached is the debug output from a ubuntu package of 2.1.0, with the default config (I didn't see a 2.1.0 tarball on the site) Also attached is the debug output from the 2.1.6 install (tarball from site), again with the default config. As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it doesn't. --Mike On Sun, 2009-08-09 at 15:06 +0200, Alan DeKok wrote: Michael Bryant wrote: You get the same error in 2.1.0, or the configuration which worked in 2.1.0 doesn't work in 2.1.6? My customized vmps server section works in 2.1.0. Except that debug mode prints out what it is processing. And it's not printing out anything in 2.1.6. That may be the source of the problem. What does debug mode show for 2.1.0? Output with 2.1.0: Vlan: please_use_real_vlan_here MAC Address: 123412341234 Status: ALLOW Is that the debug output... or something else? With 2.1.6: Ready to process requests. Which looks to be the debug output. Compare apples to apples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 9 2008 at 13:24:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/vmps including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1
VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Hi, Stock Freeradius version 2.1.6, compiled with dpkg-buildpackage. Using default sites-avaialable/vmps virtual server. Also using dynamic clients with clients in postgresql. Getting this error on every VMPS request: Failed encoding packet: Failed to find VQP-Packet-Type in response packet. Using a customised sites-enabled/vmps file, pulling data from postgresql, which was working in 2.1.0, I get the same error. Any ideas as to why this error is occurring? Cheers --Mike radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = vmps ipaddr = * port = 1589 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on vmps address * port 1589 as server vmps Listening on proxy address * port 1814 Ready to process requests. server dynamic_client_server { rlm_sql (sqllocal): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT nasname FROM nas WHERE nasname = '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 4 rlm_sql (sqllocal): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT shortname FROM nas WHERE nasname = '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 3 rlm_sql (sqllocal): Reserving sql socket id: 2 rlm_sql_postgresql: query: SELECT secret FROM nas WHERE nasname = '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 2 rlm_sql (sqllocal): Reserving sql socket id: 1 rlm_sql_postgresql: query: SELECT type FROM nas WHERE nasname = '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 1 } # server dynamic_client_server - Added client 127.0.0.1 with shared secret testing123 VMPS-Packet-Type = VMPS-Join-Request VMPS-Error-Code = VMPS-No-Error VMPS-Sequence-Number = 4660 VMPS-Client-IP-Address = 10.252.24.2 VMPS-Port-Name = Fa0/17 VMPS-VLAN-Name = VMPS-Domain-Name = blah VMPS-Unknown = 0x00 VMPS-MAC = 00:16:41:11:0b:ff server vmps { Doing VMPS Done VMPS } # server vmps Failed encoding packet: Failed to find VQP-Packet-Type in response packet Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 4660 with timestamp +87 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
I'm confused, how can I use unlang halfway through the processing of the rlm_sql module? --Mike In message 4a65854f.4050...@deployingradius.com FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: Michael Bryant wrote: Hi, Using Freeradius 2.1.0 (debian package), with rlm_sql. I am trying to, in radcheck, set a value, which I can then compare against in radgroupcheck. It doesn't support that. When I try this, with a custom attribute in either raddb/dictionary , a VSA, or Tmp-String-* it seems to be appearing in the config items list, as opposed to the request one, so rlm_sql doesn't check against it. Any ideas how I can get this to work? Use unlang to copy attributes between lists. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
authorize { update request { Tmp-String=0 = %{sql:select ...} } sql } Unfortunately that's no use, as I understand it, redundant blocks aren't supported in xlat? --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request Items, Config/control Items; rlm_sql
Hi, Using Freeradius 2.1.0 (debian package), with rlm_sql. I am trying to, in radcheck, set a value, which I can then compare against in radgroupcheck. When I try this, with a custom attribute in either raddb/dictionary , a VSA, or Tmp-String-* it seems to be appearing in the config items list, as opposed to the request one, so rlm_sql doesn't check against it. Any ideas how I can get this to work? Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Certificate Problem
To Dead6re, I fixed it by copying the serial file again from the scripts directory immediately after the root certificate was created, but before the client certificate. The first thing the CA.all does is remove all files from the demoCA directory including the serial file. Hope this helps. Dead6re wrote: Hello all, Iam havea huge problem using CA.all to generate the certificates needed for FreeRadius. I am currently using Fedora and my OpenSSL version is: 0.9.8b and has recently been updated. Using configuration from /usr/local/ssl/openssl.cnf ./demoCA/serial: No such file or directory error while loading serial number 17811:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('./demoCA/serial','r') 17811:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:my pass -passout pass:my pass No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:my pass -passout pass:my pass 17813:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 17814:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE How do I fix this error? Thanks, Dead6re -- View this message in context: http://www.nabble.com/FreeRadius-Certificate-Problem-tf3981133.html#a11314170 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, There are Event log errors in Application and System. Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: The specified user does not exist. Event ID 5719 - The system cannot log you on now because the domain name is not available. This would be expected because port security is preventing traffic. Since DOT1X is enabled on the Cisco switch port for the server, I need to authenticate against the RADIUS server which is sending credentials to my AD domain controller. Both the server and the radius server are on the same switch, so there are no firewall issues. The switch is an access switch uplinked to the core switch where the DC is located. All servers are in the same VLAN. I cannot decipher the meaning of the debug negotiations that are happening, but it looks like to me that there is some kind of default in the users file for 255.255.255.254 that is not the IP address of the server in question. Again, my question is if I need a USERS files, because I was reading that this file is not required for AD. Here is my USERS file. http://www.nabble.com/file/p11222403/users users Thanks, Bryant. tnt wrote: OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in the trusted root certificates. I was looking at another document that was putting chmod 0444 on the cert-clt.p12 and chmod 0400 on the cacert.pem. Then, chown to radius:users on both. Is that necessary? Thanks, Bryant. You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in Trusted Root and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11223473 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, Here is the output of the RADIUSD -X [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = prefix realm: delimiter = \ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail:
Re: Need help with 802.1X authentication to Active Directory
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP Hi Ivan, Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying. The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA Are the scripts designed to create the client certificate for Windows 2003? Thanks, Bryant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11205301 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help with 802.1X authentication to Active Directory
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Here is the output of RADIUSD -X [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated
Re: Need help with 802.1X authentication to Active Directory
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Here is the doc with the debug output at bottom. Bryant. tnt wrote: Uploaded it where? Debug output in your first message is just server startup. It hasn't recieved any packets. Check where is your NAS sending those requests. Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.nabble.com/file/p11144421/radius-auth.doc radius-auth.doc -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144421 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ...followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Ivan, Well in my EAP.Conf file, I have in the eap module a default_eap_type = peap and in my peap module the default_eap_type = mschapv2 Is that correct? tnt wrote: Have you read the bit of eap.conf titled: ! WARNINGS for Windows compatibility ! just above the peap module? Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11145180 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html