Re: pam_radius requires setting Auth-Type ?
Il 21/09/2012 12:34, Fajar A. Nugraha ha scritto: Sorry for being so late... What does your full debug looks like? Just edited passwords and trimmed clients... FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120
Re: pam_radius requires setting Auth-Type ?
Il 24/09/2012 09:40, Fajar A. Nugraha ha scritto: Is this sites-available/default? Or inner-tunnel? sites-available/default . Your log for inner tunnel only shows this: server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module pap from file /etc/freeradius/modules/pap Maybe it doesn't instantiate it again since pap is already instantiated in default? IIRC authorize should come before authenticate. Which means you probably don't have pap on authorize section of inner tunnel. But it's there: authorize { unibo_map_realms chap mschap suffix ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files expiration logintime pap } That's why I'm quite confused... BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
Il 21/09/2012 13:04, Alan DeKok ha scritto: You probably deleted pap from the authorize section of raddb/sites-available/default. Nope... I'd (probably) have spotted that. Don't break the configurtion. I knew you'd (rightfully) say that :) Too bad I'm not the one that configured that server... I just told him that Auth-Type should not be manually set, so I'm now in charge of fixing the config :( I think I'll have to setup another machine and start from scratch, so to minimize impact (it's a lone production server! glip!). Once the new server is up running, I'll reformat the current one and clone the working config. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius requires setting Auth-Type ?
Hello all. We just added pam_radius to our vpn host, to authenticate vpn users throught our (working) RADIUS server. IIUC pam_radius is sending a PAP message: Access-Request packet from host 192.168.130.61 port 9327, id=233, length=99 User-Name = STUDENTI\\studente.fittizio User-Password = my-cleartext-password NAS-IP-Address = 130.136.152.6 NAS-Identifier = openvpn NAS-Port = 8302 NAS-Port-Type = Virtual Service-Type = Authenticate-Only But if I don't add (in users file) a line like: DEFAULT NAS-Identifier == openvpn, Auth-Type := PAP FR complains: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user IIUC, Auth-Type should never be set manually, so I'm quite sure I'm missing something... Could you please point me in the right direction? Tks. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 26/06/2012 17:14, Julson, Jim ha scritto: Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right? The idea is that we use our central point of management which in our case is Active Directory. You have to define a local variable to hold the group name (or the group SID, but while making auth faster it makes management harder). Then assign to it a value based on where you receive your request from (a switch, a public server, a private server, a VPN endpoint...) and pass it to ntlm_auth in -require-membership-of option. If the user trying to access is not in that group, he's denied access (ntlm_auth checks group membership in AD). We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes. So managing groups on a per radius server basis isn't really a good choice from a management perspective. Using the Active Directory domain, we can have our admins move folks in and out of groups as necessary. That's exactly what AD is for. But I usually join the PCs to it so I can have better integration (one for all: AD groups gets mapped to Unix groups). Did I understand your suggestion right? I don't think so. Or is that variable --require-membership-of= That's not a variable, that's a parameter for ntlm_auth. something that can help me achieve what I want to do? It restrict access to members of that group. IIUC that's what you need. I thought I had to use LDAP for Group Authorization... You don't need to. At least not for such a basic thing. To be more clear (not actually tested): 1) add ATTRIBUTE Require-Group 3000 string to dictionary 2) add DEFAULT Require-Group := 'default-ad-group' to users 3) change ntlm_auth line in modules/mschap to include --require-membership-of=%{Require-Group} Now restart FR and it should accept only users in 'default-ad-group'. If it's OK. now you have to find some way to differentiate the NAS (or NAS group) from where the user is requesting access and use unlang to change Require-Group value as needed. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto: Now, the problem is this. Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this. It's authenticating...a little too well. Why not add a default group var (to be overridden for specific clients) and pass it to ntlm_auth in --require-membership-of= parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Il 04/05/2012 09:35, dhanushka ranasinghe ha scritto: User-Name = dhanush...@wso2.com User-Password = dcn05c4-1282 I hope you realize you've sent your credentials to a public mailing list... BYtE! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSCHAP auth + LDAP authorizaton
Il 03/04/2012 11:05, Andres Septer ha scritto: I have working radius - AD authentication via winbind (MSCHAP challnge-response). But I do not want to give all domain users ability to use VPN. I want to use special AD group. [...] Any suggestions of documentation that will help, would be appriciated. From man ntlm_auth: --require-membership-of={SID|Name} Require that a user be a member of specified group (either name or SID) for authentication to succeed. Just change your call to ntlm_auth accordingly. Should be faster if you specify SID (one less 'internal lookup'). HIH, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSCHAP auth + LDAP authorizaton (Working. Sort Of)
Il 04/04/2012 12:49, Andres Septer ha scritto: OK, I achieved my goal to get freeradius authenticate via mschap challenge-response and authorize via LDAP search. I's working, though, I'm not sure, that I'm doing it right. This solution works only with one group (my example, VPNusers). I think it is not expandable to the scenario like: authorize user when it belongs to the group VPNusers autohorize user when it comes form IP of some WiFi access point disregarding any groups Why not setting the group to check membership of in a variable based on the NAS sending the request? Or, maybe, by using huntgroups (not sure... still have to understand 'em fully). BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 12/02/2012 23:54, McNutt, Justin M. ha scritto: I'm not sure why, then, but it actually does work. We have shown that with the client configured to use u...@e.mail.address (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds. See Phil's answer on Feb 03 18:57 ... That's because domains (both NT-like and Kerberos-like) get stripped from crypto ops. Too bad you can't change user name when calling ntlm_auth (that's what I'd have to do for users with an UPN change). The user name must not be part of the crypto calculation or it would fail. I've been able to correct all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful. The 'user' *is* part of the crypto. '@e.mail.address' (or 'DOMAIN\') is not. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Binding
Hello all. Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? That would allow to search for group membership without spawning more processes... Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Binding
Il 10/02/2012 16:21, Phil Mayers ha scritto: Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? This question does not make sense. Joining a domain doesn't obtain a kerberos ticket. It creates a machine account principal, and a shared secret (password) that can *in future* be used to obtain kerberos tickets. Yep. Sorry. Tried to condense too much :( First, you can do that now. Just create a service account in AD for searching LDAP, and set the bind DN. Can't create users in AD. Just machine accounts. Maybe it's possible to use the (or a dedicated) *machine* account credentials? Secondly, checking group membership over LDAP in AD is not as simple as you might think. Nested groups and primary group ID are the two main problems. I know: about 5-6 years ago I wrote a lot of PHP code that did exactly that. A nightmare. But doable. At least in PHP. Thirdly, why do you assume that spawning a process is undesirable? Have you tested it to see which is slower? Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it. If you say what you're trying to accomplish rather than how, it might be a bit clearer. Trying to avoid a script (1st exec of bash) that does a net ads search (2nd exec), filters output with sed (it's been not too hard to write a script that does grep, too -- 3rd exec). I need to determine if/what to return in 'access-accept' when an user authenticates to a switch. - students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - regular users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN) BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 03/02/2012 12:51, Matthew Newton ha scritto: Apologies - I meant that finding the answer to your 'trick' is not a FreeRADIUS thing. It's a directory lookup, or identity management type issue. There must be a misunderstanding. I'm not asking advice about the query itself (that would be OT here). *Given* that the query should (and that 'should' is not FR-related) return a 4-rows answer that I must translate to a single row, how do I translate it to a single value in FR? Currently I'm doing that translation spawning two more processes, that might not be needed. Can unlang regexprs handle multiline output or are they limited to single-line? Since this 'optimization' is FR-specific, I'm asking to FR gurus here... Then, yes, of course it translates into 'how do I do this search _within_ FreeRADIUS'. I know that: backticks :) BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 03/02/2012 13:48, Phil Mayers ha scritto: This doesn't work, unless username == email local part. *or* win uses the username to calculate the response. Since users *can* actually log in to their accounts using their mail address... Maybe win caches (or looks up) the real username? Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: Just like the domain that 'ntdomain' strips. Or the others form of domain I'm already stripping. expected_response = crypto(challenge, samaccountname, stored_password) Maybe they also calculate an alternative_response considering one (or more) alternate username forms. Or, simply, win looks up real username and domain when an email address is used and uses it to calculate its response. Basically, usernames != email address, unless you MAKE them the same. We often have user accounts in the form user.name.2 referring a different person than user.name. The number-accounted person might not like the number, so asks for an UPN change and is given u.name. When another account is created (say that from Ph.D he becomes a researcher) the 'base name' would be user.name3, but the old UPN gets set for user.name2 and u.name now points to user.name3 . So the mail address is 'constant' even if the 'internal identity' changes. That person keeps logging in as u.n...@unibo.it . Maybe that's a stupid thing, but it's how things work here and I have no control on that. I can only try to keep the best possible user experience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 03/02/2012 18:57, Phil Mayers ha scritto: FreeRADIUS is a bit complex in this area, because of the age of the code involved. But basically: 1. with_ntdomain_hack = yes on the mschap module strips leading DOMAIN\ So it's not an hack. It's follow_mschap_specs :) 2. Otherwise, you have to populate Stripped-User-Name yourself That's what I'm currently doing. Being the phylosophy build by little steps, all the domain logins already work. Even login with mail for users w/o UPN change works. It could even be enough, but my hacking genes would be really upset if I didn't try everything... :) Really, with_ntdomain_hack should be renamed strip_domain, should strip either leading DOMAIN\ or trailing @domain.com, and should default to on. Shouldn't that be handled by 'suffix' ? I need to write a patch for 3.0 which does this. Good. the 'base name' would be user.name3, but the old UPN gets set for user.name2 and u.name now points to user.name3 . So the mail address is 'constant' even if the 'internal identity' changes. That person keeps logging in as u.n...@unibo.it . That sounds complicated. It is. Historical reasons ('we' started usin AD ages ago... even M$ techs gave up on our setup :) ). The same for having multiple domains: even M$ (at that time) didn't know if a single domain could handle about 500K users. *Now* we all know it can, and it's about 6 years a team is working to try to collapse the forest in a single tree. Maybe. I think you're doing something complicated and weird, and I don't think you should be surprised if it doesn't work well in some cases. I don't think userPrincipalName is meant to be used that way. Neither do I, but others thought so and now it can't be changed (at least not easily, and for sure not by me)... If it won't work, I'll be confident it's impossible to make it work within our environment. But if I make it work, it could be useful for others. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 01/02/2012 22:57, McNutt, Justin M. ha scritto: So I'm working on a way to Improve the User Experience. I've gotten a LONG way, but now I'm stuck. Here's the short/long version (all details, without undue explanation or discussion of what I tried that doesn't work): Done nearly the same just some days ago. 1) I created two custom attributes named My-NT-Domain and My-User-Name and added them to the dictionary file as 3003 and 3004, respectively. I have had no need to create those. Just added, in policy.conf: unibo_map_realms { if (User-Name =~ /^(PERSONALE|STUDENTI)(\\.DIR\\.UNIBO\\.IT)?\(.+)$/i ) { update request { Realm := %{1} Stripped-User-Name := %{3} } } elsif (User-Name =~ /^(.+)@(PERSONALE|STUDENTI)(\\.DIR\\.UNIBO\\.IT)?$/i ) { [... and so on for the various forms...] Then added to proxy.conf: # LOCAL domains: *unibo.it realm ~^(.*\\.)?unibo\\.it { } to handle mail-like domains locally and finally added to default and inner-tunnel a call to unibo_map_realms at the very beginning of authorize section. 3) I changed /etc/raddb/modules/mschap to call ntlm_auth like this: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{My-User-Name}:-%{mschap:User-Name}} --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} No extra attributes needed in my case. NOW we want to be able to have a user authenticate without specifying a domain. In theory, that's no big deal. If the users NEVER specify a domain at all, I can populate my custom attributes with this: [...] NOW, the problem is that if the user DOES specify domain\username correctly, then none of the cleanup cases match, so My-NT-Domain is empty. But since my custom attribute is empty, the Perl script is being called unnecessarily to run the LDAP search. What about checking both your attribute and the mschap:NT-Domain just after 'suffix' and 'ntdomain' entries? BTW, do you see win setting a domain when the use login credentials checkbox (for mschapv2 options) is set? I always only see just the username... That might be good for your script... BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto: Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct DOM\user format. Or make 'em use their institutional email address. Easier to remember :) Seems trivial but it might not be. At least in our case we have 3 kinds of email addresses, referring to 2 domains. And the name before the '@' sign might not be the same as the sAMAccountName. I'm trying (with no luck :( ) to use /usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep sAMAccountName|sed s/^[^ ]* // (maybe it's possible to do the same without using grep and sed, but it's been just a quick test -- suggestions welcome). Replacement is OK, but seems secrets.tdb can't be opened :( even if permissions should be OK :-? A limit of net ads search is that it searches only the default (joined) domain, unless you specify another domain controller with -S or -I -- I could easily do that based on the mail domain but in others setups it could be harder. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Verifying you are Joining the Active Directory Domain
Il 02/02/2012 15:45, Gilmour, Scott ha scritto: I was wondering if this is because we installed winbind4 rather than winbind? DON'T! Samba4 is not yet ok for production. Use samba-winbind-3.5.11 . After basic config of smb.conf (I posted mine some days ago) you can do: net ads join -U admin.user@AD.KRB5.REALM -- it asks admin's password and should tell join OK. AD.KRB5.REALM must be properly configured in DNS (AD does it automatically) or you'll have to configure /etc/krb5.conf . Machine account should already have been created in AD. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 02/02/2012 21:59, Matthew Newton ha scritto: /usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep sAMAccountName|sed s/^[^ ]* // (maybe it's possible to do the same without using grep and sed, but it's been just a quick test -- suggestions welcome). Have you tried ldapsearch? Might be more flexible. Can't use it: for security (privacy) our DCs don't allow anonymous binding. And I can't add users, just machines and OUs. I'm rather guessing here, but I wonder if LDAP searching the AD global catalogue (ports 3268/3269) would make this work with one search? Often you can't do an ldap search on AD... But that's not really a FreeRADIUS issue. You'd probably be better finding a samba or AD list. What I was saying was: 1) it should be doable to let users do MSCHAPv2 auth using mail account (which could be unrelated to sAMAccountName) instead of strange (from users' POV) usernames with domains 2) I was asking for some trick that lets me do the same thing without requiring processes for grep and sed (if possible... and that's FR specific) BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Il 03/02/2012 01:27, Dan Letkeman ha scritto: That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA. This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? The other method is worse, as Matthew said :) Just email every user the cert to install together with the instructions to do so. Or you could evaluate joining machines to AD, then perform just machine authentication or choose to do both machine auth and user auth so you could place machines with no domain user logged in on a VLAN and machines with specific domain users on another. This way local users can only have minimal network access, while authenticated users can access reserved portions of your network. And you can remotely manage machines as soon as they're connected. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 20:54, Phil Mayers ha scritto: [...] So I *can* insert unlang code there! Perfect! No. This is not unlang. It's just a string expansion. Yup. Sorry, I was referencing the cut part. Unlang is a processing language that is only valid inside the virtual server authorize, post-auth, etc. sections. It's not valid in module configs. OK. Since it seems I have to do EXACTLY the same mapping both in default and inner-tunnel sites, I saved my if chain in unibo.map and used $INCLUDE to insert it in both virtual servers, just after the opening brace of authorize. Hope it's the correct thing to do :) (even if there's a suspect preprocess module in 'default' thats smells like a candidate...). Too bad it seems unlang doesn't like : if (cond) { ... } elsif (othercond) { ... } elsif (yetanother) { ... } (gives too many closing braces on the last line) or even: if (cond) { ... } else if (othercond) { ... } else if (yetanother) { ... } (this one evaluates 'othercond' and 'yetanother' even if 'cond' is true, completely discarding the 'else'). [The ratio to use the 'if' on another line is that doing so I can reorder the conditions w/o introducing errors] That seems quite a serious limit in the unlang grammar... BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 26/01/2012 12:24, Phil Mayers ha scritto: You can re-use bits of unlang as virtual modules. See policy.conf. This is often a bit neater than $INCLUDE. Perfect! Exactly what was needed. FreeRADIUS config is basically: [...] if, elsif are just blocks. Blocks need to start on their own line. The name is intended as a hint here - it's NOT a programming language. It's a syntax for writing authentication policies and rules, that is a bit like a language. Then maybe the second sentence (and following) in the second paragraph in the 'keywords' section of the man page could be more like: unlang is a sequence (ordered list) of action blocks. Each action block, identified by a keyword, starts on its own line and can span multiple lines where a sub-block is allowed. Processing of a block is sequential, from the first line to the last. This gives a pretty (quite regular) EBNF grammar... :) That seems quite a serious limit in the unlang grammar... That's quite a statement. Can't you just hit return after }? Sure. That statement was due to a misunderstanding: that error made me think I couldn't chain more than one elsif ! BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing domain for ntlm_auth
Hi all. To let (most (*)) users login with their e-mail address, I'd need to translate the realm part to a domain. So I added to proxy.conf : realm PERSONALE { } realm STUDENTI { } realm ~^studio\\.unibo\\.it { Realm := STUDENTI } realm ~^studio\\.unibo\\.it { Realm := PERSONALE } realm ~^unibo\\.it { Realm := PERSONALE } What I thought it would do was if user name is like '@studio.unibo.it' then set REALM to be local 'STUDENTI' but obviously I was wrong... Request is EAP-PEAP-MSChapv2 and the authentication oracle is an AD node (hence the use of ntlm_auth). If I authenticate using user@PERSONALE it works perfectly. What am I missing? (*) Just 'most' users since I couldn't yet find a way to use the UPN, so users whose UPN have been changed must login with their 'base' name. Don't think there's an easy fix for this, since even joined win machines *sometimes* refuse the changed UPN... Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with multiple AD
Il 25/01/2012 11:19, Pavel Klochan ha scritto: Hi. I need advise/help with my problem. I'm trying to authenticate with 2 LDAP-servers from freeradius, but without success. I'm just a newbie, but have you tried proxying requests to two different local servers? BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 13:32, Phil Mayers ha scritto: To let (most (*)) users login with their e-mail address, I'd need to translate the realm part to a domain. Why do you think this is true? 'cause ntlm_auth won't authenticate user.n...@unibo.it or user.name@PERSONALE . It returns no such user. It authenticates PERSONALE\user.name . Or --username=user.name --domain=PERSONALE. (*) Just 'most' users since I couldn't yet find a way to use the UPN, so users whose UPN have been changed must login with their 'base' name. Don't think there's an easy fix for this, since even joined win machines *sometimes* refuse the changed UPN... I don't understand any of this. Please show a debug of it going wrong. That's not FR-related. It's something in Win/AD, so I think there's nothing doable from FR to fix it. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 12:48, Alan DeKok ha scritto: To let (most (*)) users login with their e-mail address, I'd need to translate the realm part to a domain. I'm not sure why. Because KRB5-domain and DNS-domain are different in my setup. And I can't change it. So I added to proxy.conf : ... realm ~^studio\\.unibo\\.it { Realm := STUDENTI } Huh? NOTHING in the documentation or examples says that should work. It won't work. Don't do it. Ok. What I thought it would do was if user name is like '@studio.unibo.it' then set REALM to be local 'STUDENTI' but obviously I was wrong... The server documentation describes how it works. Follow the documentation to configure it. But what should I do? In other words, *which* doc should I follow? How is the needed feature named? I'm not sure you can change the domain for PEAP with ntlm_auth. The domain is *also* in the MS-CHAP data. So changing it in the arguments to ntlm_auth will likely not work. I *think* it works by omitting the domain from checks, just like when considering NT domain... If I authenticate using user@PERSONALE it works perfectly. What am I missing? It doesn't work the way you think it works. It works the way it's documented to work. I know. But I couldn't find the doc to read... (*) Just 'most' users since I couldn't yet find a way to use the UPN, so users whose UPN have been changed must login with their 'base' name. Don't think there's an easy fix for this, since even joined win machines *sometimes* refuse the changed UPN... Have the users change their login domain. Those pathologic cases have to change. But it's usually much better to let 99% of the users authenticate in the same way on all the services... BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 18:24, Phil Mayers ha scritto: There are many ways to do this. The simplest is something like follows: modules/mschap: ... ntlm_auth = .. \ --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \ --nt-domain=YOUR-DOMAIN That's not doable. If mail is in unibo.it, domain is not unibo.it but PERSONALE. Same if mail is in esterni.unibo.it . But for studio.unibo.it domain is STUDENTI. sites-enabled/whatever: authorize { ... ntdomain suffix mschap ... } ...and define the realms in your proxy.conf file. That's what I was trying :) This solution basically uses the realm module to strip the DOMAIN\user and u...@domain.com into user and DOMAIN / domain.com. You then ignore the realm in your ntlm_auth line - just hard-code it. Can't hardcode. If you can't ignore the realm, you can do something like: modules/mschap: ... ntlm_auth = .. \ --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \ --nt-domain=%{%{Realm}:-DEFAULT} More something like %{%{mschap:Domain}:-%{Realm}:-PERSONALE} ... [...] So I *can* insert unlang code there! Perfect! Basically, YOU control what data is passed to ntlm_auth, and FreeRADIUS provides several methods to control this. It's enough to know where those controls can be placed :) If you need more specific help, just ask. But please try to read the docs for man unlang and the many, many examples in the default configs and in the list archives. I tried (I always try for at least a couple hours before posting a question)... But without knowing what you're looking for it's hard to dig it... Tks. I think w/ these infos I'll be OK. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 15:58, Alan Buxey ha scritto: use Stripped-User-Name in the ntlm_auth lineand NT-Domain for domain (enable ntdomain in authorize) - see the example ntlm_auth provided with server... Already tried and discarded. I think the definitive solution is the one highlighted by Phil. Tks. Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: But how do I set Tunnel-Private-Group-Id from an exec-ed script? Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for). Urgh! So easy! :) Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow... Surely. But in some setups it's not possible to browse AD as an ldap server. At least w/o leaving around username and password. That's a no-no, unless you can create service users (which we can't :( ). But this way we can put users on different VLANs w/o problems :) IIUC, post-auth exec should occour only once, right? Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 20/01/2012 11:55, Phil Mayers ha scritto: If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. Just tested with radtest (have had to use single quotes and FOUR backslashes! -- my password is obviously in $P): # radtest -t mschap 'PERSONALEdiego.zuccato' $P localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = PERSONALE\\diego.zuccato NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x7f218889d9de0c84 MS-CHAP-Response = 0x000115ea491108aa02bb34b5fe79918a67cd8a7b069240091194 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123, length=84 MS-CHAP-MPPE-Keys = 0x3b1acd0b65d7af221df50f6ca50447cf MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 And the Access-Accept is quite fast. When using eapol_test, I get the timeout. The difference is that radtest seems to use mschapv1 while eapol_test uses mschapv2. What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes username and client nonce in the authenticator, while v1 doesn't. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 23/01/2012 11:02, Phil Mayers ha scritto: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. So radtest isn't actually equivalent to eapol_test. It's just another step for testing. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. What do you mean by local user? One added in users file? I know it works (tested while following the guide), but it's not using mschapv2, IIUC... From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that script only generates NTLMv1 responses... And it references a quite old Samba version. I'm using 3.5.10. From comment 46: Yes, 3.5.6 has all necessary fixes for this issue. Unless the sernet packages do contain other changes, it should just work with those packages. I retested, adding winbind:forcesamlogon = True and eapol_test is now successful. Might be useful to add to the guide. Seems, after all, it's needed for recent SAMBA releases, too. Just for completeness my (now working) smb.conf is: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS restrict anonymous = 2 log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No idmap uid = 10-1 idmap gid = 10-1 template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config STUDENTI:range = 5000 - idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:backend = rid idmap config PERSONALE:range = 10 - 4999 idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:backend = rid idmap config STUDENTI:default = yes idmap config PERSONALE:default = no winbind:forcesamlogon = True [maybe the whole idmap could be removed, but better not to touch it once it's working...] No need to edit /etc/krb5.conf (interfacing to a native AD domain, so DNS records are OK for auto-discovery of Kerberos servers. Now it's Zeroshell's turn... Tks for the patience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto: But I reckon you could also do something like that in post-auth section if (Ldap-Group == cn=mygroup,ou=groups,o=radius) { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 1 } } I think it could be possible to do the same using exec, a script and wbinfo... Just still don't know how. With for T in $(wbinfo --user-domgroups `wbinfo -n ADusername`) ; do wbinfo -s $T; done I can get all AD groups ADusername is into. Checking group membership would be even easier. But how do I set Tunnel-Private-Group-Id from an exec-ed script? BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 21:46, Alan DeKok ha scritto: Yeah, I've gone and fixed that. git is nice for updating web pages. Uh... forgot... When using ntlm_auth with a password, --request-nt-key seems to have no effect. Tested in different distros. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 13:01, Phil Mayers ha scritto: I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. But then it should fail immediately, not after a timeout! And an immediate failure is the result when I *disable* 'with_ntdomain_hack=yes' line in mschap. No changes even enabling ntdomain lines in 'default' and 'inner-tunnel' sites (IIUC those should only detect the domain, regardless of it being prefix or suffix). Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. Ok. I'm not going to change 'em. To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. That's exactly what I've done till now. The failures start when I enable the auth I need. The problem w/ CP is just an issue scheduled for later examination -- nothing configured yet to fix it. That's my 'hg diff' output (w/o the certs part) from the base config (from the tutorial): diff -r 434b2b3ededc clients.conf --- a/clients.conf Mon Jan 16 15:17:07 2012 +0100 +++ b/clients.conf Fri Jan 20 11:22:45 2012 +0100 @@ -232,3 +232,10 @@ # secret = testing123 #} #} + +client 137.204.65.161 { + secret = testing123qaz +} +client 137.204.65.96 { + secret = testing123qaz +} diff -r 434b2b3ededc modules/mschap --- a/modules/mschapMon Jan 16 15:17:07 2012 +0100 +++ b/modules/mschapFri Jan 20 11:22:45 2012 +0100 @@ -34,6 +34,7 @@ # corrects for that incorrect behavior. # #with_ntdomain_hack = no + #with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration @@ -63,4 +64,7 @@ # the best user name for the request. # #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} + ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} +# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}} --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} +# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } diff -r 434b2b3ededc modules/ntlm_auth --- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100 +++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100 @@ -8,5 +8,6 @@ # exec ntlm_auth { wait = yes - program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} +# program = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-PERSONALE} --username=%{mschap:User-Name} --password=%{User-Password} + program = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } diff -r 434b2b3ededc sites-available/default --- a/sites-available/default Mon Jan 16 15:17:07 2012 +0100 +++ b/sites-available/default Fri Jan 20 11:22:45 2012 +0100 @@ -116,7 +116,7 @@ # the other styles won't be checked. # suffix -# ntdomain + ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP @@ -306,6 +306,8 @@ # handled # override the updated code from attr_filter # } # } + +# ntlm_auth } @@ -347,7 +349,7 @@ # home server as authentication requests. # IPASS suffix -# ntdomain + ntdomain # # Read the 'acct_users' file diff -r 434b2b3ededc sites-available/inner-tunnel --- a/sites-available/inner-tunnel
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 17:17, Dhiraj Gaur ha scritto: Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says Start the server and use a test client to send an MS-CHAP authentication request. The |radclient| cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept http://freeradius.org/rfc/rfc2865.html#Access-Accept message as above. Been there too. But after that I tested with eapol_test from wpa_supplicant. With negative results :( Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand There's no User-Password in MS-CHAP. It's not sent to the server, so you can't use --pass= for ntlm_auth. It's only used to encrypt the challenge. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 19:44, Alan DeKok ha scritto: The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work. You hard-coded it to *always* do NTLM authentication, using the PAP credentials. Then you sent it a request which didn't contain a cleartext password. That's easy, it's on the page: remove the DEFAUL added for testing :) Again, the guide explains this in great detail. Follow it, and it will work. It *should* work is more correct :( There still are many things that can go wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 10:03, Phil Mayers ha scritto: EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session. Hmm. I see from your original email that Samba ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :( There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10. Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eapol_test giving up and win-like error?
Hi all. I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get -8-- WARNING: !! WARNING: !! EAP session for state 0x6ac8f8c260c3e171 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! -8-- message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. I checked the FAQ, but couldn't find anything useful. The certs I'm using are from internal CA (actually from an internal intermediate CA, cert chain is certs/ca.pem and is 4.5k; root CA's self-signed cert is pointed by ca_cert= in eapol_test's config file). Server is a plain Debian Squeeze, plus SAMBA 3.5.6 and FreeRADIUS 2.1.10 . Domain is correctly joined and winbindd is running. I followed steps described in http://deployingradius.com/documents/configuration/active_directory.html (then noticed that the two references to ntlm_auth in authenticate sections aren't needed for mschapv2: ntlm_auth gets called by mschap module). The complete output from freeradius -X is: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main {
Re: eapol_test giving up and win-like error?
Il 18/01/2012 15:25, Alan DeKok ha scritto: NdK wrote: I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get ... message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. Then read the error messages from eapol_test. Why does it stop? It should say. That's eapol_test output. I changed my AD pass to 'testing123' just for the time needed to test, so the values are the real ones. I can't see any error, just a timeout... There's a short delay before EAPOL: startWhen -- 0 and a long one just after. If needed, I logged output of freeradius -X for this run, too (not posted to avoid spamming the list too much -- nothing changed in its config). # eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz -a 137.204.65.163 Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf' Line: 4 - start of a new network block key_mgmt: 0xd proto: 0x3 group: 0x18 scan_ssid=1 (0x1) mode=0 (0x0) ssid - hexdump_ascii(len=8): 41 4c 4d 41 57 49 46 49 ALMAWIFI pairwise: 0x18 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 password - hexdump_ascii(len=10): 74 65 73 74 69 6e 67 31 32 33 testing123 identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato phase2 - hexdump_ascii(len=15): 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32 phase2=MSCHAPV2 ca_cert - hexdump_ascii(len=61): 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65 /home/ndk/Docume 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63 nti/Ufficio/CA/c 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20 erts/Astronomia 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74- Root CA.crt Priority group 0 id=0 ssid='ALMAWIFI' Authentication server 137.204.65.163:1812 RADIUS local address: 137.204.65.96:45959 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=28) TX EAP - RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=154 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=30 Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Attribute 80 (Message-Authenticator) length=18 Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e 1b 55 Attribute 80 (Message-Authenticator) length=18 Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS