FreeRadius - Cisco 7204 - L2TP Tunnel
Hi all I’m having major issues with getting Freeradius to authenticate from a Cisco 7204 that is terminating an L2TP tunnel and sending radius auth to a FreeRadius server. Using a default install of Freeradius and configuring it to accept auth requests from the Cisco in clients.conf it just fails on authentication. Even though the username and password in the users files is correct, proven using radtest. From radius -X without changing any config options it gives me Login is incorrect sending a plain text password. No matter what I change in the config files it always fails. I've tried adding Auth-Type's to the users entry such as Local and this gives me things like no password is configured for the user. Removing the "Default Auth-Type" from the top of the users file and setting an Auth-Type in the users entry gives me no Auth-Type set. Really not sure where the error is. So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success? If so is it possible to supply: - The virtual template section that specifies the ppp authentication? - A copy of the radius.conf file? - The users file with an example users entry that works. Then I can see if I've got it all setup correctly. This used to work fine when I was using a Linux server to terminate the L2TP tunnel, I used L2TPNS to do the termination and it sent radius authentication to the FreeRadius server. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius - Cisco 7204 - L2TP Tunnel
erid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.0.3:1645 Listening on accounting 192.168.0.3:1646 Listening on proxy 192.168.0.3:1647 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250:1645, id=168, length=97 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" User-Password = "mysecret" NAS-Port-Type = Virtual NAS-Port = 726 Service-Type = Framed-User NAS-IP-Address = 192.168.0.250 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "local.realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm " local.realm.com" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 6 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns ok for request 6 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/mysecret] (from client cisco7204 port 726) Delaying request 6 for 1 seconds Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 168 to 192.168.0.250:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 168 with timestamp 44379f6f Nothing to do. Sleeping until we see a request. # My users file (without all the commented out lines) ## # #DEFAULTAuth-Type = System # Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP [EMAIL PROTECTED] Auth-Type = Local, User-Password == "mysecret" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP And just for good measure here is the Cisco debug: ## *Apr 8 12:03:50.473 BST: AAA/BIND(02E1): Bind i/f Virtual-Template3 *Apr 8 12:03:50.473 BST: AAA/AUTHEN/PPP (02E1): Pick method list 'default' *Apr 8 12:03:50.473 BST: RADIUS/ENCODE(02E1):Orig. component type = VPDN *Apr 8 12:03:50.473 BST: RADIUS: AAA Unsupported Attr: interface [153] 15 *Apr 8 12:03:50.473 BST: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 37 [Uniq-Sess-ID7] *Apr 8 12:03:50.477 BST: RADIUS(02E1): Storing nasport 720 in rad_db *Apr 8 12:03:50.477 BST: RADIUS(02E1): Config NAS IP: 0.0.0.0 *Apr 8 12:03:50.477 BST: RADIUS/ENCODE(02E1): acct_session_id: 1168 *Apr 8 12:03:50.477 BST: RADIUS(02E1): sending *Apr 8 12:03:50.477 BST: RADIUS/ENCODE: Best Local IP-Address 192.168.0.250 for Radius-Server 192.168.0.3 *Apr 8 12:03:50.477 BST: RADIUS(02E1): Send Access-Request to 192.168.0.3:1645 id 1645/162, len 97 *Apr 8 12:03:50.477 BST: RADIUS: authenticator 76 7D 09 92 23 C7 65 B1 - 6C D7 3C E1 10 6B 56 CF *Apr 8 12:03:50.477 BST: RADIUS: Framed-Protocol [7] 6 PPP [1] *Apr 8 12:03:50.477 BST: RADIUS: User-Name [1] 29 "[EMAIL PROTECTED]" *Apr 8 12:03:50.477 BST: RADIUS: User-Password [2] 18 * *Apr 8 12:03:50.477 BST: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Apr 8 12:03:50.477 BST: RADIUS: NAS-Port[5] 6 720 *Apr 8 12:03:50.477 BST: RADIUS: Service-Type[6] 6 Framed [2] *Apr 8 12:03:50.477 BST: RADIUS: NAS-IP-Address [4] 6 192.168.0.250 *Apr 8 12:03:52.513 BST: RADIUS: Received from id 1645/162 192.168.0.3:1645, Access-Reject, len 20 *Apr 8 12:03:52.513 BST: RADIUS: authenticator DD E8 59 9D 6D 1B 13 29 - C2 25 B3 6D E1 38 64 8E *Apr 8 12:03:52.513 BST: RADIUS(02E1): Received from id 1645/162 ## Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Phil Mayers Sent: 08 April 2006 12:07 To: FreeRa
RE: FreeRadius - Cisco 7204 - L2TP Tunnel
Hi Phil Good call. Thanks for that. Works a treat now. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Phil Mayers Sent: 08 April 2006 13:17 To: FreeRadius users mailing list Subject: Re: FreeRadius - Cisco 7204 - L2TP Tunnel Ok, I see the problem: > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 183 > modcall[authorize]: module "files" returns ok for request 6 > > My users file (without all the commented out lines) > > > DEFAULT Service-Type == Framed-User > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 576, > Service-Type = Framed-User, > Fall-Through = Yes > > > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP There's no "Fall-Through = Yes" on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry: > [EMAIL PROTECTED] Auth-Type = Local, User-Password == "mysecret" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Address = 10.0.0.1, > Framed-Netmask = 255.255.255.255, > Framed-Compression = Van-Jacobsen-TCP-IP So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example >users ...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm question..
Hi all We have a radius setup that we use to authenticate our own adsl users as well as proxying radius to 2 other sources. Our own radius entries use a realm after each username, a typical entry is: [EMAIL PROTECTED] Password == secret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.3, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ### Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm? Obviously if the realm is one that we proxy then it should be proxied as such and any that aren't in the proxy.conf file authenticated locally. This may sound like an odd request but in the case of users typing the realm incorrect but the username is Ok they can be authenticated still. Since we only get sent authentication requests from realms that belong to us or the people we proxy for locally it doesn't really matter what the realm is, the user still has to have the correct password to authenticate. In the case the user is one we proxy and the user types the realm incorrect then they just won't be authenticated since it wouldn't be proxied and the username would not exist in our radius users file, this is fine. I've tried adding "strip" to the LOCAL entry in proxy.conf and also just adding the entry: user1 Password == secret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.3, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ### to the radius users file but it won't authenticate. Thanks Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Realm question..
>> Is there a way of getting radius to authenicate on the username before >>the @ sign and ignore the realm? > Yes, but you have to edit the "users" file to get rid of the >"@realm" portion, and configure the realms as LOCAL ones. The object is to not to have to configure any realms as local. So that Radius will try to auth any realm that isn't to be proxied. If I have a user whose username is [EMAIL PROTECTED] I can easily specify arealm.com as local. But if by mistake the user types the username as [EMAIL PROTECTED] auth will just fail because the realm isn't specified in proxy.conf. > What does debugging mode say? Exactly what you'd expect it to say if the realm isn't in proxy.conf: # rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = "[EMAIL PROTECTED]" User-Password = "acc355" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "arealm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "arealm.com" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns ok for request 2 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/acc355] (from client localhost port 1645) Delaying request 2 for 1 seconds Finished request 2 ## The user doesn't exist as the entry in users just has the username as "user1" and the request is sending [EMAIL PROTECTED] I want radius to first check to see if the request needs to be proxied. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/TLS sending bad certificate
> Message: 1 > Date: Thu, 05 Feb 2004 17:28:40 +0530 > From: Arindam Roy <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: EAP/TLS sending bad certificate > Reply-To: [EMAIL PROTECTED] > Hello all, > I am running freeradius-snapshot-20040128, RH8, xsupplicant. > Whenever Radius sends a Sever Hello done during EAP/TLS, xsupplicant > complains of bad certificate, and send a TLS Alert. > Where am i going wrong? > Arindam Roy Dear Arindam, I have had the same problem you described above. In my case the xsupplicant software provides an own SHA1 library with the same function names as the openssl library. However, the SHA1 functions provided by xsupplicant are not in all cases equivalent to the one of the openssl. Therefore you need to remove the SHA1 library object files from the linking process of xsupplicant (it's just a change in the makefile). I have posted this error to the xsupplicant mailing list. But it has not been resolved since you have now the same problem I did. Kind regards, Markus _ Markus Obermeier System Architect Connectivity Siemens AG ICM MP PD TS Tel. +49-89-722-32549 Mob. +49-160-7481061 Fax. +49-89-722-913490 EMail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Open1x-xsupplicant] RE: EAP/TLS sending bad certificate
Hi José, the following change made my xsupplicant working again: @diff src/Makefile src/Makefile.orig 161c161 < simd5.$(OBJEXT) simd11.$(OBJEXT) \ --- > sha1.$(OBJEXT) simd5.$(OBJEXT) simd11.$(OBJEXT) \ That's it in my case. Good luck. Rgds, Markus -Original Message- From: José Luis Solano [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 12. Februar 2004 16:04 To: Obermeier Markus ICM MP PD TS; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Open1x-xsupplicant] RE: EAP/TLS sending bad certificate Dear Markus, About the problem with the certificates, what's the change in makefile, exactly, to run XSupplicant without the error "bad certificates". Please, it's very important to me this questions, so could you tell me the steps to do this? I send you my freeradius and client (XSupplicant) logs : Client (XSupplicant): -- desarrollo:/xsupplicant/certs/certs2# xsupplicant -i ath0 -c /xsupplicant/certs/certs2/1x.conf -d 5 initalize_user_conf() finished! Reading configuration from file : /xsupplicant/certs/certs2/1x.conf --Printing user configuration-- username: root cert: /xsupplicant/certs/certs2/root.pem client cert: /xsupplicant/certs/certs2/cert.cer key file: /xsupplicant/certs/certs2/key.pem auth type: EAP preferred auth: TLS client type: WIRELESS chunk size: 1398 random file: /dev/random first auth: /sbin/dhclient eth0 after auth: /bin/echo I authenticated phase2 auth: (null) phase2 id: --- Calling do_eapol, with device ath0 Initalizing Frame handler (generic) Using interface : ath0 Got MAC address of 00:40:05:54:16:eb PCAP Filter : ether dst 00:40:05:54:16:eb or ether dst 01:80:c2:00:00:03 and ether proto 0x888e Setup on device ath0 complete (EAPTLS) Changed state to 0 (TLS) Initalized TLS Successfully! (EAPMD5) Initalized (TLS) Initalized TLS Successfully! (EAPMS-CHAP) Initalized (TLS) Initalized TLS Successfully! Done with init. $$ eapol_pae_do_state $$: DISCONNECTED Sending EAPOL-Start #1 ## eap_decode_packet ##: Got an EAP request ## eap_decode_packet ##: Type is Identity $$ eapol_decode_packet $$: back from eap_return Request ID, skipping CONNECTING state... Connection Established, authenticating... Please Enter Your Password : Sending to 0:80:c8:1:1:55 ACQUIRED ## eap_decode_packet ##: Got an EAP request ## eap_decode_packet ##: Type is Identity $$ eapol_decode_packet $$: back from eap_return Connection Established, authenticating... Sending to 0:80:c8:1:1:55 ## eap_decode_packet ##: Got an EAP request ### Type is 13, length: 6 $$ eapol_decode_packet $$: back from eap_return eapol_dst = 0:80:c8:1:1:55 resp_out = 0:80:c8:1:1:55 Loading certificate /xsupplicant/certs/certs2/root.pem ... . ... (TLS)Loaded root certificate /xsupplicant/certs/certs2/root.pem and dirctory (null) --- SSL : before/connect initialization --- SSL : before/connect initialization --- SSL : SSLv3 write client hello A --- SSL : SSLv3 read server hello A Destination : 0:80:c8:1:1:55 AUTHENTICATING ## eap_decode_packet ##: Got an EAP request ### Type is 13, length: 610 $$ eapol_decode_packet $$: back from eap_return eapol_dst = 0:80:c8:1:1:55 resp_out = 0:80:c8:1:1:55 (EAPTTLS) Saved packet fragment. Destination : 0:80:c8:1:1:55 ## eap_decode_packet ##: Got an EAP request ### Type is 13, length: 610 $$ eapol_decode_packet $$: back from eap_return eapol_dst = 0:80:c8:1:1:55 resp_out = 0:80:c8:1:1:55 (EAPTTLS) Saved packet fragment. Destination : 0:80:c8:1:1:55 ## eap_decode_packet ##: Got an EAP request ### Type is 13, length: 610 $$ eapol_decode_packet $$: back from eap_return eapol_dst = 0:80:c8:1:1:55 resp_out = 0:80:c8:1:1:55 (EAPTTLS) Saved packet fragment. Destination : 0:80:c8:1:1:55 ## eap_decode_packet ##: Got an EAP request ### Type is 13, length: 338 $$ eapol_decode_packet $$: back from eap_return eapol_dst = 0:80:c8:1:1:55 resp_out = 0:80:c8:1:1:55 (EAPTTLS) Saved packet fragment. 16 3 1 0 4a 2 0 0 46 3 1 40 2b 62 0 7e --- SSL : SSLv3 read server hello A --- SSL : SSLv3 read server certificate B --- ALERT : bad certificate --- SSL : SSLv3 read server certificate B Destination : 0:80:c8:1:1:55 ## eap_decode_packet ##: Got an EAP failure $$ eapol_decode_packet $$: back from eap_return Failed to Authenticate Success Count: 0 Failure Count: 1 CONNECTING ## eap_decode_packet ##: Got an EAP request ## eap_decode_packet ##: Type is Identity $$ eapol_decode_packet $$: back from eap_return Request ID, skipping CONNECTING state... Connection Established, authenticating... Sending to 0:80:c8:1:1:55 ACQUIRED
