Re: users file auth failing
On Mon, 2008-10-27 at 18:41 -0600, Anthony Chavez wrote:
Module: Instantiating ldap
ldap {
server = directory.somedomain
port = 389
password = secret
identity = cn=Manager,dc=somedomain
I don't know how much of this was from clean up, but if possible you
really really shouldn't use cn=Manager,dc=somedomain for this. It is
generally concidered a no go to let anything use the directory manager.
At our site I created a dedicated radiusd user who has exactly and only
the rights needed by radius. I don't know if that is an option at your
site, but if it is I strongly suggest it.
Pat
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
undefined symbol: eaptls_session_idx
I built my own version of freeradius from the ubuntu package for 8.10.
The ubuntu version stamp on it is 2.1.0+dfsg-0ubuntu2 so I expect it is
freeradius 2.1.0 (and the source confirms this).
I modified the package scripts so that I can link the program to openssl
and get the eap modules. The program built without a hitch so I was a
bit shocked to find that I get a linking error when I start the server.
What can I do to fix this? Ubuntu 8.04, x86
My guess is recompile, but without knowing what I did wrong I will just
get a bad build again and again and again.
snip
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
rlm_eap: Failed to link
EAP-Type/tls: /usr/lib/freeradius/rlm_eap_tls.so: undefined symbol:
eaptls_session_idx
/etc/freeradius/eap.conf[17]: Instantiation failed for module eap
/etc/freeradius/sites-enabled/inner-tunnel-ldap[223]: Failed to find
module eap.
/etc/freeradius/sites-enabled/inner-tunnel-ldap[176]: Errors parsing
authenticate section.
}
}
Errors initializing modules
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication seems to work, only it doesn't actually (EAP-TTLS)
My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP
That being said I have taken one of my existing, working with FreeRadius
1.1.5, access points and pointed it at my test radius server.
When I try and connect the agent sends dozens of requests that the debug
log seems very happy with Login OK: [prieheck] (from client
However, that seems to be the extent of it. The login's are approved,
but it doesn't seem like anyone is getting informed.
A radeapclient test:
+++ About to send encoded packet:
User-Name = prieheck
Cleartext-Password = please
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = prieheck
Message-Authenticator = 0x00
NAS-Port = 0
+++ EAP decoded packet:
EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4
Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17
State = 0x5d58d3605d8bd76df879afd5c99b16ef
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4
+++ About to send encoded packet:
User-Name = prieheck
Cleartext-Password = please
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x
NAS-Port = 0
EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14
State = 0x5d58d3605d8bd76df879afd5c99b16ef
+++ EAP decoded packet:
EAP-Message = 0x03d30004
Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290
User-Name = prieheck
EAP-Id = 211
EAP-Code = Success
Total approved auths: 1
Total denied auths: 1
So it looks to me like the eap bit is all going good, but I am at a loss
(especially concerning the denied auth there...).
EAP/PEAP is working just fine so I think it may be my eap.conf file
related to ttls:
eap.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/radius.key
certificate_file = ${certdir}/radius.crt
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = DEFAULT
make_cert_command = ${certdir}/bootstrap
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
mschapv2 {
}
md5 {
}
}
This is a bit of the debug output from free radius
snip
++[pap] returns ok
Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel)
} # server inner-tunnel
TTLS: Got tunneled reply RADIUS code 2
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 222 to 10.4.6.7 port 1645
MS-MPPE-Recv-Key =
0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048
MS-MPPE-Send-Key =
0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = prieheck
Finished request 4.
Going to the next request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 218 with timestamp +19
Waking up in 0.3 seconds.
Cleaning up request 1 ID 219 with timestamp +20
Cleaning up request 2 ID 220 with timestamp +20
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223,
length=142
User-Name = prieheck
Framed-MTU = 1400
Called-Station-Id = 000f.f7d4.d460
Calling-Station-Id = 0106.cfa9.d2eb
Service-Type = Login-User
/snip
Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me.
I would happily share any of my other config lines, but don't know what
you would want to see and don't want to flood you with too much data
Pat
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication seems to work, only it doesn't actually (EAP-TTLS)
On Thu, 2008-08-14 at 15:59 +0200, Alan DeKok wrote: Pat Riehecky wrote: My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP That should be easy enough. That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server. Why? Why not just test everything from the command-line? See my web site for examples of testing EAP (http://deployingradius.com). Found the tools needed (knowledge) to figure out my own errors there. Thanks! Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap attribute config stuff
Ok, to begin I am not a radius guru. In fact, the word novice applies very strongly here That being said on to my inquiry. I have two radius systems on site. One of them is for our wireless system and the other for our old trying to die dialup. The wireless system is setup to authenticate to our LDAP repository and make sure that users have a particular attribute before letting them on. Our dial up system is a big mess of flat files on a version of the software I wont admit to. I would very much like to get the radius server doing the wireless work to also do our dial up work. To do this I have loaded some attributes into our LDAP server for it to query, but then I run into a bit of a problem. How do I configure a required attribute of Wireless=yes for one set of clients and an attribute of DialUP=yes for the other? Can this be done? Did I miss the doc on this? Solaris 9 SPARC, FreeRadius 1.1.6 Any help I can get on this would be very appreciated. Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
