Re: pam_radius requires setting Auth-Type ?
Il 21/09/2012 12:34, Fajar A. Nugraha ha scritto:
Sorry for being so late...
What does your full debug looks like?
Just edited passwords and trimmed clients...
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24
2011 at 07:53:12
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/policy
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
Re: pam_radius requires setting Auth-Type ?
Il 24/09/2012 09:40, Fajar A. Nugraha ha scritto:
Is this sites-available/default? Or inner-tunnel?
sites-available/default .
Your log for inner tunnel only shows this:
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module pap from file /etc/freeradius/modules/pap
Maybe it doesn't instantiate it again since pap is already instantiated
in default?
IIRC authorize should come before authenticate. Which means you
probably don't have pap on authorize section of inner tunnel.
But it's there:
authorize {
unibo_map_realms
chap
mschap
suffix
ntdomain
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
expiration
logintime
pap
}
That's why I'm quite confused...
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
Il 21/09/2012 13:04, Alan DeKok ha scritto: You probably deleted pap from the authorize section of raddb/sites-available/default. Nope... I'd (probably) have spotted that. Don't break the configurtion. I knew you'd (rightfully) say that :) Too bad I'm not the one that configured that server... I just told him that Auth-Type should not be manually set, so I'm now in charge of fixing the config :( I think I'll have to setup another machine and start from scratch, so to minimize impact (it's a lone production server! glip!). Once the new server is up running, I'll reformat the current one and clone the working config. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius requires setting Auth-Type ?
Hello all. We just added pam_radius to our vpn host, to authenticate vpn users throught our (working) RADIUS server. IIUC pam_radius is sending a PAP message: Access-Request packet from host 192.168.130.61 port 9327, id=233, length=99 User-Name = STUDENTI\\studente.fittizio User-Password = my-cleartext-password NAS-IP-Address = 130.136.152.6 NAS-Identifier = openvpn NAS-Port = 8302 NAS-Port-Type = Virtual Service-Type = Authenticate-Only But if I don't add (in users file) a line like: DEFAULT NAS-Identifier == openvpn, Auth-Type := PAP FR complains: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user IIUC, Auth-Type should never be set manually, so I'm quite sure I'm missing something... Could you please point me in the right direction? Tks. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 26/06/2012 17:14, Julson, Jim ha scritto:
Forgive my ignorance, but the variable that you are suggesting I use
would be something that I had to create locally on my RADIUS servers
right? The idea is that we use our central point of management which
in our case is Active Directory.
You have to define a local variable to hold the group name (or the group
SID, but while making auth faster it makes management harder). Then
assign to it a value based on where you receive your request from (a
switch, a public server, a private server, a VPN endpoint...) and
pass it to ntlm_auth in -require-membership-of option.
If the user trying to access is not in that group, he's denied access
(ntlm_auth checks group membership in AD).
We have hundreds of servers
ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes.
So managing groups on a per radius server basis isn't really a
good choice from a management perspective. Using the Active
Directory domain, we can have our admins move folks in and out
of groups as necessary.
That's exactly what AD is for. But I usually join the PCs to it so I can
have better integration (one for all: AD groups gets mapped to Unix groups).
Did I understand your suggestion right?
I don't think so.
Or is that variable --require-membership-of=
That's not a variable, that's a parameter for ntlm_auth.
something that can help me achieve what I want to do?
It restrict access to members of that group. IIUC that's what you need.
I thought I had to use LDAP for Group Authorization...
You don't need to. At least not for such a basic thing.
To be more clear (not actually tested):
1) add ATTRIBUTE Require-Group 3000 string to dictionary
2) add DEFAULT Require-Group := 'default-ad-group' to users
3) change ntlm_auth line in modules/mschap to include
--require-membership-of=%{Require-Group}
Now restart FR and it should accept only users in 'default-ad-group'.
If it's OK. now you have to find some way to differentiate the NAS (or
NAS group) from where the user is requesting access and use unlang to
change Require-Group value as needed.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto: Now, the problem is this. Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this. It's authenticating...a little too well. Why not add a default group var (to be overridden for specific clients) and pass it to ntlm_auth in --require-membership-of= parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Il 04/05/2012 09:35, dhanushka ranasinghe ha scritto: User-Name = dhanush...@wso2.com User-Password = dcn05c4-1282 I hope you realize you've sent your credentials to a public mailing list... BYtE! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSCHAP auth + LDAP authorizaton
Il 03/04/2012 11:05, Andres Septer ha scritto:
I have working radius - AD authentication via winbind (MSCHAP
challnge-response).
But I do not want to give all domain users ability to use VPN. I want to use
special AD group.
[...]
Any suggestions of documentation that will help, would be appriciated.
From man ntlm_auth:
--require-membership-of={SID|Name}
Require that a user be a member of specified group (either name or
SID) for authentication to succeed.
Just change your call to ntlm_auth accordingly. Should be faster if you
specify SID (one less 'internal lookup').
HIH,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSCHAP auth + LDAP authorizaton (Working. Sort Of)
Il 04/04/2012 12:49, Andres Septer ha scritto: OK, I achieved my goal to get freeradius authenticate via mschap challenge-response and authorize via LDAP search. I's working, though, I'm not sure, that I'm doing it right. This solution works only with one group (my example, VPNusers). I think it is not expandable to the scenario like: authorize user when it belongs to the group VPNusers autohorize user when it comes form IP of some WiFi access point disregarding any groups Why not setting the group to check membership of in a variable based on the NAS sending the request? Or, maybe, by using huntgroups (not sure... still have to understand 'em fully). BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 12/02/2012 23:54, McNutt, Justin M. ha scritto: I'm not sure why, then, but it actually does work. We have shown that with the client configured to use u...@e.mail.address (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds. See Phil's answer on Feb 03 18:57 ... That's because domains (both NT-like and Kerberos-like) get stripped from crypto ops. Too bad you can't change user name when calling ntlm_auth (that's what I'd have to do for users with an UPN change). The user name must not be part of the crypto calculation or it would fail. I've been able to correct all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful. The 'user' *is* part of the crypto. '@e.mail.address' (or 'DOMAIN\') is not. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Binding
Hello all. Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? That would allow to search for group membership without spawning more processes... Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Binding
Il 10/02/2012 16:21, Phil Mayers ha scritto: Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? This question does not make sense. Joining a domain doesn't obtain a kerberos ticket. It creates a machine account principal, and a shared secret (password) that can *in future* be used to obtain kerberos tickets. Yep. Sorry. Tried to condense too much :( First, you can do that now. Just create a service account in AD for searching LDAP, and set the bind DN. Can't create users in AD. Just machine accounts. Maybe it's possible to use the (or a dedicated) *machine* account credentials? Secondly, checking group membership over LDAP in AD is not as simple as you might think. Nested groups and primary group ID are the two main problems. I know: about 5-6 years ago I wrote a lot of PHP code that did exactly that. A nightmare. But doable. At least in PHP. Thirdly, why do you assume that spawning a process is undesirable? Have you tested it to see which is slower? Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it. If you say what you're trying to accomplish rather than how, it might be a bit clearer. Trying to avoid a script (1st exec of bash) that does a net ads search (2nd exec), filters output with sed (it's been not too hard to write a script that does grep, too -- 3rd exec). I need to determine if/what to return in 'access-accept' when an user authenticates to a switch. - students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - regular users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN) BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 03/02/2012 12:51, Matthew Newton ha scritto: Apologies - I meant that finding the answer to your 'trick' is not a FreeRADIUS thing. It's a directory lookup, or identity management type issue. There must be a misunderstanding. I'm not asking advice about the query itself (that would be OT here). *Given* that the query should (and that 'should' is not FR-related) return a 4-rows answer that I must translate to a single row, how do I translate it to a single value in FR? Currently I'm doing that translation spawning two more processes, that might not be needed. Can unlang regexprs handle multiline output or are they limited to single-line? Since this 'optimization' is FR-specific, I'm asking to FR gurus here... Then, yes, of course it translates into 'how do I do this search _within_ FreeRADIUS'. I know that: backticks :) BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 03/02/2012 13:48, Phil Mayers ha scritto: This doesn't work, unless username == email local part. *or* win uses the username to calculate the response. Since users *can* actually log in to their accounts using their mail address... Maybe win caches (or looks up) the real username? Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: Just like the domain that 'ntdomain' strips. Or the others form of domain I'm already stripping. expected_response = crypto(challenge, samaccountname, stored_password) Maybe they also calculate an alternative_response considering one (or more) alternate username forms. Or, simply, win looks up real username and domain when an email address is used and uses it to calculate its response. Basically, usernames != email address, unless you MAKE them the same. We often have user accounts in the form user.name.2 referring a different person than user.name. The number-accounted person might not like the number, so asks for an UPN change and is given u.name. When another account is created (say that from Ph.D he becomes a researcher) the 'base name' would be user.name3, but the old UPN gets set for user.name2 and u.name now points to user.name3 . So the mail address is 'constant' even if the 'internal identity' changes. That person keeps logging in as u.n...@unibo.it . Maybe that's a stupid thing, but it's how things work here and I have no control on that. I can only try to keep the best possible user experience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 03/02/2012 18:57, Phil Mayers ha scritto:
FreeRADIUS is a bit complex in this area, because of the age of the code
involved. But basically:
1. with_ntdomain_hack = yes on the mschap module strips leading DOMAIN\
So it's not an hack. It's follow_mschap_specs :)
2. Otherwise, you have to populate Stripped-User-Name yourself
That's what I'm currently doing. Being the phylosophy build by little
steps, all the domain logins already work. Even login with mail for
users w/o UPN change works. It could even be enough, but my hacking
genes would be really upset if I didn't try everything... :)
Really, with_ntdomain_hack should be renamed strip_domain, should
strip either leading DOMAIN\ or trailing @domain.com, and should default
to on.
Shouldn't that be handled by 'suffix' ?
I need to write a patch for 3.0 which does this.
Good.
the 'base name' would be user.name3, but the old UPN gets set for
user.name2 and u.name now points to user.name3 . So the mail address
is 'constant' even if the 'internal identity' changes. That person keeps
logging in as u.n...@unibo.it .
That sounds complicated.
It is. Historical reasons ('we' started usin AD ages ago... even M$
techs gave up on our setup :) ). The same for having multiple domains:
even M$ (at that time) didn't know if a single domain could handle about
500K users. *Now* we all know it can, and it's about 6 years a team is
working to try to collapse the forest in a single tree.
Maybe. I think you're doing something complicated and weird, and I don't
think you should be surprised if it doesn't work well in some cases. I
don't think userPrincipalName is meant to be used that way.
Neither do I, but others thought so and now it can't be changed (at
least not easily, and for sure not by me)...
If it won't work, I'll be confident it's impossible to make it work
within our environment. But if I make it work, it could be useful for
others.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 01/02/2012 22:57, McNutt, Justin M. ha scritto:
So I'm working on a way to Improve the User Experience. I've gotten a LONG
way, but now I'm stuck. Here's the short/long version (all details, without
undue explanation or discussion of what I tried that doesn't work):
Done nearly the same just some days ago.
1) I created two custom attributes named My-NT-Domain and My-User-Name
and added them to the dictionary file as 3003 and 3004, respectively.
I have had no need to create those. Just added, in policy.conf:
unibo_map_realms {
if (User-Name =~ /^(PERSONALE|STUDENTI)(\\.DIR\\.UNIBO\\.IT)?\(.+)$/i ) {
update request {
Realm := %{1}
Stripped-User-Name := %{3}
}
}
elsif (User-Name =~
/^(.+)@(PERSONALE|STUDENTI)(\\.DIR\\.UNIBO\\.IT)?$/i ) {
[... and so on for the various forms...]
Then added to proxy.conf:
# LOCAL domains: *unibo.it
realm ~^(.*\\.)?unibo\\.it {
}
to handle mail-like domains locally and finally added to default and
inner-tunnel a call to unibo_map_realms at the very beginning of
authorize section.
3) I changed /etc/raddb/modules/mschap to call ntlm_auth like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{My-User-Name}:-%{mschap:User-Name}}
--domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
No extra attributes needed in my case.
NOW we want to be able to have a user authenticate without specifying a
domain. In theory, that's no big deal. If the users NEVER specify a domain
at all, I can populate my custom attributes with this:
[...]
NOW, the problem is that if the user DOES specify domain\username
correctly, then none of the cleanup cases match, so My-NT-Domain is empty.
But since my custom attribute is empty, the Perl script is being called
unnecessarily to run the LDAP search.
What about checking both your attribute and the mschap:NT-Domain just
after 'suffix' and 'ntdomain' entries?
BTW, do you see win setting a domain when the use login credentials
checkbox (for mschapv2 options) is set? I always only see just the
username... That might be good for your script...
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct DOM\user
format.
Or make 'em use their institutional email address. Easier to remember :)
Seems trivial but it might not be. At least in our case we have 3 kinds
of email addresses, referring to 2 domains. And the name before the '@'
sign might not be the same as the sAMAccountName.
I'm trying (with no luck :( ) to use
/usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep
sAMAccountName|sed s/^[^ ]* //
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test -- suggestions welcome).
Replacement is OK, but seems secrets.tdb can't be opened :( even if
permissions should be OK :-?
A limit of net ads search is that it searches only the default (joined)
domain, unless you specify another domain controller with -S or -I -- I
could easily do that based on the mail domain but in others setups it
could be harder.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Verifying you are Joining the Active Directory Domain
Il 02/02/2012 15:45, Gilmour, Scott ha scritto: I was wondering if this is because we installed winbind4 rather than winbind? DON'T! Samba4 is not yet ok for production. Use samba-winbind-3.5.11 . After basic config of smb.conf (I posted mine some days ago) you can do: net ads join -U admin.user@AD.KRB5.REALM -- it asks admin's password and should tell join OK. AD.KRB5.REALM must be properly configured in DNS (AD does it automatically) or you'll have to configure /etc/krb5.conf . Machine account should already have been created in AD. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 02/02/2012 21:59, Matthew Newton ha scritto:
/usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep
sAMAccountName|sed s/^[^ ]* //
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test -- suggestions welcome).
Have you tried ldapsearch? Might be more flexible.
Can't use it: for security (privacy) our DCs don't allow anonymous
binding. And I can't add users, just machines and OUs.
I'm rather guessing here, but I wonder if LDAP searching the AD
global catalogue (ports 3268/3269) would make this work with one
search?
Often you can't do an ldap search on AD...
But that's not really a FreeRADIUS issue. You'd probably be better
finding a samba or AD list.
What I was saying was:
1) it should be doable to let users do MSCHAPv2 auth using mail account
(which could be unrelated to sAMAccountName) instead of strange (from
users' POV) usernames with domains
2) I was asking for some trick that lets me do the same thing without
requiring processes for grep and sed (if possible... and that's FR specific)
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Il 03/02/2012 01:27, Dan Letkeman ha scritto: That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA. This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? The other method is worse, as Matthew said :) Just email every user the cert to install together with the instructions to do so. Or you could evaluate joining machines to AD, then perform just machine authentication or choose to do both machine auth and user auth so you could place machines with no domain user logged in on a VLAN and machines with specific domain users on another. This way local users can only have minimal network access, while authenticated users can access reserved portions of your network. And you can remotely manage machines as soon as they're connected. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 20:54, Phil Mayers ha scritto:
[...]
So I *can* insert unlang code there! Perfect!
No. This is not unlang. It's just a string expansion.
Yup. Sorry, I was referencing the cut part.
Unlang is a processing language that is only valid inside the virtual
server authorize, post-auth, etc. sections. It's not valid in module
configs.
OK.
Since it seems I have to do EXACTLY the same mapping both in default
and inner-tunnel sites, I saved my if chain in unibo.map and used
$INCLUDE to insert it in both virtual servers, just after the opening
brace of authorize. Hope it's the correct thing to do :) (even if
there's a suspect preprocess module in 'default' thats smells like a
candidate...).
Too bad it seems unlang doesn't like :
if (cond) {
...
} elsif (othercond) {
...
} elsif (yetanother) {
...
}
(gives too many closing braces on the last line) or even:
if (cond) {
...
} else
if (othercond) {
...
} else
if (yetanother) {
...
}
(this one evaluates 'othercond' and 'yetanother' even if 'cond' is true,
completely discarding the 'else').
[The ratio to use the 'if' on another line is that doing so I can
reorder the conditions w/o introducing errors]
That seems quite a serious limit in the unlang grammar...
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 26/01/2012 12:24, Phil Mayers ha scritto: You can re-use bits of unlang as virtual modules. See policy.conf. This is often a bit neater than $INCLUDE. Perfect! Exactly what was needed. FreeRADIUS config is basically: [...] if, elsif are just blocks. Blocks need to start on their own line. The name is intended as a hint here - it's NOT a programming language. It's a syntax for writing authentication policies and rules, that is a bit like a language. Then maybe the second sentence (and following) in the second paragraph in the 'keywords' section of the man page could be more like: unlang is a sequence (ordered list) of action blocks. Each action block, identified by a keyword, starts on its own line and can span multiple lines where a sub-block is allowed. Processing of a block is sequential, from the first line to the last. This gives a pretty (quite regular) EBNF grammar... :) That seems quite a serious limit in the unlang grammar... That's quite a statement. Can't you just hit return after }? Sure. That statement was due to a misunderstanding: that error made me think I couldn't chain more than one elsif ! BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing domain for ntlm_auth
Hi all.
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
So I added to proxy.conf :
realm PERSONALE {
}
realm STUDENTI {
}
realm ~^studio\\.unibo\\.it {
Realm := STUDENTI
}
realm ~^studio\\.unibo\\.it {
Realm := PERSONALE
}
realm ~^unibo\\.it {
Realm := PERSONALE
}
What I thought it would do was if user name is like '@studio.unibo.it'
then set REALM to be local 'STUDENTI' but obviously I was wrong...
Request is EAP-PEAP-MSChapv2 and the authentication oracle is an AD node
(hence the use of ntlm_auth).
If I authenticate using user@PERSONALE it works perfectly. What am I
missing?
(*) Just 'most' users since I couldn't yet find a way to use the UPN, so
users whose UPN have been changed must login with their 'base' name.
Don't think there's an easy fix for this, since even joined win machines
*sometimes* refuse the changed UPN...
Tks,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with multiple AD
Il 25/01/2012 11:19, Pavel Klochan ha scritto: Hi. I need advise/help with my problem. I'm trying to authenticate with 2 LDAP-servers from freeradius, but without success. I'm just a newbie, but have you tried proxying requests to two different local servers? BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 13:32, Phil Mayers ha scritto: To let (most (*)) users login with their e-mail address, I'd need to translate the realm part to a domain. Why do you think this is true? 'cause ntlm_auth won't authenticate user.n...@unibo.it or user.name@PERSONALE . It returns no such user. It authenticates PERSONALE\user.name . Or --username=user.name --domain=PERSONALE. (*) Just 'most' users since I couldn't yet find a way to use the UPN, so users whose UPN have been changed must login with their 'base' name. Don't think there's an easy fix for this, since even joined win machines *sometimes* refuse the changed UPN... I don't understand any of this. Please show a debug of it going wrong. That's not FR-related. It's something in Win/AD, so I think there's nothing doable from FR to fix it. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 12:48, Alan DeKok ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
I'm not sure why.
Because KRB5-domain and DNS-domain are different in my setup. And I
can't change it.
So I added to proxy.conf :
...
realm ~^studio\\.unibo\\.it {
Realm := STUDENTI
}
Huh? NOTHING in the documentation or examples says that should work.
It won't work. Don't do it.
Ok.
What I thought it would do was if user name is like '@studio.unibo.it'
then set REALM to be local 'STUDENTI' but obviously I was wrong...
The server documentation describes how it works. Follow the
documentation to configure it.
But what should I do? In other words, *which* doc should I follow? How
is the needed feature named?
I'm not sure you can change the domain for PEAP with ntlm_auth. The
domain is *also* in the MS-CHAP data. So changing it in the arguments
to ntlm_auth will likely not work.
I *think* it works by omitting the domain from checks, just like when
considering NT domain...
If I authenticate using user@PERSONALE it works perfectly. What am I
missing?
It doesn't work the way you think it works. It works the way it's
documented to work.
I know. But I couldn't find the doc to read...
(*) Just 'most' users since I couldn't yet find a way to use the UPN, so
users whose UPN have been changed must login with their 'base' name.
Don't think there's an easy fix for this, since even joined win machines
*sometimes* refuse the changed UPN...
Have the users change their login domain.
Those pathologic cases have to change. But it's usually much better to
let 99% of the users authenticate in the same way on all the services...
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 18:24, Phil Mayers ha scritto:
There are many ways to do this. The simplest is something like follows:
modules/mschap:
...
ntlm_auth = .. \
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
--nt-domain=YOUR-DOMAIN
That's not doable. If mail is in unibo.it, domain is not unibo.it but
PERSONALE. Same if mail is in esterni.unibo.it . But for studio.unibo.it
domain is STUDENTI.
sites-enabled/whatever:
authorize {
...
ntdomain
suffix
mschap
...
}
...and define the realms in your proxy.conf file.
That's what I was trying :)
This solution basically uses the realm module to strip the DOMAIN\user
and u...@domain.com into user and DOMAIN / domain.com. You then
ignore the realm in your ntlm_auth line - just hard-code it.
Can't hardcode.
If you can't ignore the realm, you can do something like:
modules/mschap:
...
ntlm_auth = .. \
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
--nt-domain=%{%{Realm}:-DEFAULT}
More something like %{%{mschap:Domain}:-%{Realm}:-PERSONALE} ...
[...]
So I *can* insert unlang code there! Perfect!
Basically, YOU control what data is passed to ntlm_auth, and FreeRADIUS
provides several methods to control this.
It's enough to know where those controls can be placed :)
If you need more specific help, just ask. But please try to read the
docs for man unlang and the many, many examples in the default configs
and in the list archives.
I tried (I always try for at least a couple hours before posting a
question)... But without knowing what you're looking for it's hard to
dig it...
Tks. I think w/ these infos I'll be OK.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 15:58, Alan Buxey ha scritto: use Stripped-User-Name in the ntlm_auth lineand NT-Domain for domain (enable ntdomain in authorize) - see the example ntlm_auth provided with server... Already tried and discarded. I think the definitive solution is the one highlighted by Phil. Tks. Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: But how do I set Tunnel-Private-Group-Id from an exec-ed script? Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for). Urgh! So easy! :) Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow... Surely. But in some setups it's not possible to browse AD as an ldap server. At least w/o leaving around username and password. That's a no-no, unless you can create service users (which we can't :( ). But this way we can put users on different VLANs w/o problems :) IIUC, post-auth exec should occour only once, right? Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 20/01/2012 11:55, Phil Mayers ha scritto: If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. Just tested with radtest (have had to use single quotes and FOUR backslashes! -- my password is obviously in $P): # radtest -t mschap 'PERSONALEdiego.zuccato' $P localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = PERSONALE\\diego.zuccato NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x7f218889d9de0c84 MS-CHAP-Response = 0x000115ea491108aa02bb34b5fe79918a67cd8a7b069240091194 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123, length=84 MS-CHAP-MPPE-Keys = 0x3b1acd0b65d7af221df50f6ca50447cf MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 And the Access-Accept is quite fast. When using eapol_test, I get the timeout. The difference is that radtest seems to use mschapv1 while eapol_test uses mschapv2. What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes username and client nonce in the authenticator, while v1 doesn't. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 23/01/2012 11:02, Phil Mayers ha scritto: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. So radtest isn't actually equivalent to eapol_test. It's just another step for testing. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. What do you mean by local user? One added in users file? I know it works (tested while following the guide), but it's not using mschapv2, IIUC... From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that script only generates NTLMv1 responses... And it references a quite old Samba version. I'm using 3.5.10. From comment 46: Yes, 3.5.6 has all necessary fixes for this issue. Unless the sernet packages do contain other changes, it should just work with those packages. I retested, adding winbind:forcesamlogon = True and eapol_test is now successful. Might be useful to add to the guide. Seems, after all, it's needed for recent SAMBA releases, too. Just for completeness my (now working) smb.conf is: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS restrict anonymous = 2 log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No idmap uid = 10-1 idmap gid = 10-1 template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config STUDENTI:range = 5000 - idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:backend = rid idmap config PERSONALE:range = 10 - 4999 idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:backend = rid idmap config STUDENTI:default = yes idmap config PERSONALE:default = no winbind:forcesamlogon = True [maybe the whole idmap could be removed, but better not to touch it once it's working...] No need to edit /etc/krb5.conf (interfacing to a native AD domain, so DNS records are OK for auto-discovery of Kerberos servers. Now it's Zeroshell's turn... Tks for the patience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Group assign to vlan after AD user authentication
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
But I reckon you could also do something like that in post-auth section
if (Ldap-Group == cn=mygroup,ou=groups,o=radius) {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
I think it could be possible to do the same using exec, a script and
wbinfo... Just still don't know how.
With
for T in $(wbinfo --user-domgroups `wbinfo -n ADusername`) ; do
wbinfo -s $T;
done
I can get all AD groups ADusername is into. Checking group membership
would be even easier. But how do I set Tunnel-Private-Group-Id from an
exec-ed script?
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 21:46, Alan DeKok ha scritto: Yeah, I've gone and fixed that. git is nice for updating web pages. Uh... forgot... When using ntlm_auth with a password, --request-nt-key seems to have no effect. Tested in different distros. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 13:01, Phil Mayers ha scritto:
I'm not sure what the problem is then. From your original post, the
authentication is failing at the *client*, in the inner EAP section.
This normally means the final MSCHAP response is invalid, which only
happens if some crypto has gone wrong somewhere.
But then it should fail immediately, not after a timeout!
And an immediate failure is the result when I *disable*
'with_ntdomain_hack=yes' line in mschap.
No changes even enabling ntdomain lines in 'default' and
'inner-tunnel' sites (IIUC those should only detect the domain,
regardless of it being prefix or suffix).
Another problem I should fix is the fact that ZS's captive portal passes
user@realm credentials instead of realm\user ... rewriting w/ a simple
rule in hints file seems to block the rest, so I left it behind, for now.
You can't alter usernames in EAP. They are usually mixed into the
challenge/response data, and altering them in-flight means the
challenge/response will fail.
Ok. I'm not going to change 'em.
To be honest, there's too much going on in your setup; my advice would
be to create a new server (running 2.1.12) and use the default setup.
Test your EAP with eapol_test. Make small changes, storing the config
into version control at each step. Identify exactly which point the
failures start happening at.
That's exactly what I've done till now. The failures start when I enable
the auth I need. The problem w/ CP is just an issue scheduled for later
examination -- nothing configured yet to fix it.
That's my 'hg diff' output (w/o the certs part) from the base config
(from the tutorial):
diff -r 434b2b3ededc clients.conf
--- a/clients.conf Mon Jan 16 15:17:07 2012 +0100
+++ b/clients.conf Fri Jan 20 11:22:45 2012 +0100
@@ -232,3 +232,10 @@
# secret = testing123
#}
#}
+
+client 137.204.65.161 {
+ secret = testing123qaz
+}
+client 137.204.65.96 {
+ secret = testing123qaz
+}
diff -r 434b2b3ededc modules/mschap
--- a/modules/mschapMon Jan 16 15:17:07 2012 +0100
+++ b/modules/mschapFri Jan 20 11:22:45 2012 +0100
@@ -34,6 +34,7 @@
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no
+ #with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
@@ -63,4 +64,7 @@
# the best user name for the request.
#
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
+ ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
+# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}}
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
+# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
diff -r 434b2b3ededc modules/ntlm_auth
--- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100
+++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100
@@ -8,5 +8,6 @@
#
exec ntlm_auth {
wait = yes
- program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}
+# program = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--username=%{mschap:User-Name} --password=%{User-Password}
+ program = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
diff -r 434b2b3ededc sites-available/default
--- a/sites-available/default Mon Jan 16 15:17:07 2012 +0100
+++ b/sites-available/default Fri Jan 20 11:22:45 2012 +0100
@@ -116,7 +116,7 @@
# the other styles won't be checked.
#
suffix
-# ntdomain
+ ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
@@ -306,6 +306,8 @@
# handled # override the updated code from
attr_filter
# }
# }
+
+# ntlm_auth
}
@@ -347,7 +349,7 @@
# home server as authentication requests.
# IPASS
suffix
-# ntdomain
+ ntdomain
#
# Read the 'acct_users' file
diff -r 434b2b3ededc sites-available/inner-tunnel
--- a/sites-available/inner-tunnel
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 17:17, Dhiraj Gaur ha scritto: Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says Start the server and use a test client to send an MS-CHAP authentication request. The |radclient| cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept http://freeradius.org/rfc/rfc2865.html#Access-Accept message as above. Been there too. But after that I tested with eapol_test from wpa_supplicant. With negative results :( Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand There's no User-Password in MS-CHAP. It's not sent to the server, so you can't use --pass= for ntlm_auth. It's only used to encrypt the challenge. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 19:44, Alan DeKok ha scritto: The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work. You hard-coded it to *always* do NTLM authentication, using the PAP credentials. Then you sent it a request which didn't contain a cleartext password. That's easy, it's on the page: remove the DEFAUL added for testing :) Again, the guide explains this in great detail. Follow it, and it will work. It *should* work is more correct :( There still are many things that can go wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 10:03, Phil Mayers ha scritto: EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session. Hmm. I see from your original email that Samba ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :( There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10. Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eapol_test giving up and win-like error?
Hi all.
I think I'm near to correctly configure my server... but I incur in a
situation that IIUC should be related to win clients only: I get
-8--
WARNING:
!!
WARNING: !! EAP session for state 0x6ac8f8c260c3e171 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
-8--
message and *eapol_test* (run from a *linux* machine!) gives up after
about 10 seconds.
I checked the FAQ, but couldn't find anything useful.
The certs I'm using are from internal CA (actually from an internal
intermediate CA, cert chain is certs/ca.pem and is 4.5k; root CA's
self-signed cert is pointed by ca_cert= in eapol_test's config file).
Server is a plain Debian Squeeze, plus SAMBA 3.5.6 and FreeRADIUS 2.1.10 .
Domain is correctly joined and winbindd is running.
I followed steps described in
http://deployingradius.com/documents/configuration/active_directory.html
(then noticed that the two references to ntlm_auth in authenticate
sections aren't needed for mschapv2: ntlm_auth gets called by mschap
module).
The complete output from freeradius -X is:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14
2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/passwd
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
Re: eapol_test giving up and win-like error?
Il 18/01/2012 15:25, Alan DeKok ha scritto: NdK wrote: I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get ... message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. Then read the error messages from eapol_test. Why does it stop? It should say. That's eapol_test output. I changed my AD pass to 'testing123' just for the time needed to test, so the values are the real ones. I can't see any error, just a timeout... There's a short delay before EAPOL: startWhen -- 0 and a long one just after. If needed, I logged output of freeradius -X for this run, too (not posted to avoid spamming the list too much -- nothing changed in its config). # eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz -a 137.204.65.163 Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf' Line: 4 - start of a new network block key_mgmt: 0xd proto: 0x3 group: 0x18 scan_ssid=1 (0x1) mode=0 (0x0) ssid - hexdump_ascii(len=8): 41 4c 4d 41 57 49 46 49 ALMAWIFI pairwise: 0x18 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 password - hexdump_ascii(len=10): 74 65 73 74 69 6e 67 31 32 33 testing123 identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato phase2 - hexdump_ascii(len=15): 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32 phase2=MSCHAPV2 ca_cert - hexdump_ascii(len=61): 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65 /home/ndk/Docume 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63 nti/Ufficio/CA/c 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20 erts/Astronomia 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74- Root CA.crt Priority group 0 id=0 ssid='ALMAWIFI' Authentication server 137.204.65.163:1812 RADIUS local address: 137.204.65.96:45959 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=28) TX EAP - RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=154 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=30 Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Attribute 80 (Message-Authenticator) length=18 Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e 1b 55 Attribute 80 (Message-Authenticator) length=18 Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS
