Re: Radius authentication against LDAP question
Cool, thanks for pointing that out. My brain filtered out the '==', been staring at this screen too long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713505.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this: DEFAULT Group="disabled", Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user "newuser" as a member of "newgroup"- performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(memberOf="cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz")(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base with scope subtree # filter: (&(cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Playing with ldapsearch I see that the search string that radiusd -X is reporting to use indeed does not work: =ldapsearch filter (from radiusd -X) performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) = Returns no entries. If I run ldap search with (&(cn=newgroup)(&(objectclass=posixGroup))) - removing the memberUid entry, it returns the entry for the group itself, so something is wrong with how I have the member uid configured. =ldapsearch filter (filter trimmed to group) ldapsearch -x -b cn=accounts,dc=abc,dc=xyz "(&(cn=newgroup)(&(objectclass=posixGroup)))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=newgroup)(&(objectclass=posixGroup))) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
The FAQ gives a *very* basic and less than complete example of using groups. I found an old maillist entry that might be of help here. - http://lists.freeradius.org/pipermail/freeradius-users/2007-June/019764.html I'm trying to do something similar and I'm having trouble getting radius to be able to successfully validate a user as part of a group. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-with-ldap-tp5713478p5713482.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below- ===/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))" ===/etc/raddb/users DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Reply-Message="You are not allowed to connect" ===radiusd -X (excerpt) [files] expand: (&(objectclass=posixGroup)(memberUid=%u)) -> (&(objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius not using /etc/raddb/server
Thanks, Alan. I definitely suspected both of the things you suggest, but I initially installed this system and configured it, so I'm really confused as to how this alternate configuration came to be. I found the rogue configuration in the file /etc/pam_radius.conf . Unless I did that one evening after a few beers and just don't recall, I maintain that I didn't create the file. ;) Thanks again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-radius-not-using-etc-raddb-server-tp5627583p5627834.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius not using /etc/raddb/server
I have a client system that seems to be ignoring changes in the pam_radius config file, /etc/raddb/server. I initially configured the system with a simple shared secret and had it pointed to a test server and now when I change the file /etc/raddb/server the client still talks to the test server instead of the new freeradius server. I even added the test server IP address to the new freeradius server and verified that the client is even still using the old simple shared secret. I've gone as far as completely removing the /etc/raddb/server file and the client continues to use the previous config. What am I missing? The system has been rebooted numerous times. -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-radius-not-using-etc-raddb-server-tp5627583p5627583.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
I'm sure this won't surprise anyone, but the problem had nothing to do with radius. I had only entered the radius module in the pam config for ssh, but I had a kerberos config in the system auth pam config. When I enabled debug for the radius module I saw the kerberos realm info being passed in syslog. I entered the pam-radius module in the system-auth config and everything works. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4730628.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
Using radtest against radius in debug mode it works (output below.) One thing to note is that this radius server is proxying authentication to a WiKID server for 2 factor authentication. The password you see here is the one generated by the software token. =RADTEST OUTPUT=== rad_recv: Access-Request packet from host 192.168.10.109 port 50842, id=212, length=59 User-Name = "rsguser" User-Password = "612315" NAS-IP-Address = 192.168.10.107 NAS-Port = 10 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] expand: %t -> Tue Aug 23 13:44:29 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "rsguser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "rsguser" [suffix] Adding Realm = "NULL" [suffix] Proxying request from user rsguser to realm NULL [suffix] Preparing to proxy authentication request to realm "NULL" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for rsguser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=rsguser) [ldap] expand: dc=remoteservices,dc=CSPKRB -> dc=remoteservices,dc=CSPKRB rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=remoteservices,dc=CSPKRB, with filter (uid=rsguser) [ldap] checking if remote access for rsguser is allowed by dialupAccess [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user rsguser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 163 to 192.168.10.108 port 1812 User-Name = "rsguser" User-Password = "612315" NAS-IP-Address = 192.168.10.107 NAS-Port = 10 Proxy-State = 0x323132 Proxying request 1 to home server 192.168.10.108 port 1812 Sending Access-Request of id 163 to 192.168.10.108 port 1812 User-Name = "rsguser" User-Password = "612315" NAS-IP-Address = 192.168.10.107 NAS-Port = 10 Proxy-State = 0x323132 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 192.168.10.108 port 1812, id=163, length=41 Reply-Message = "Access Granted" Proxy-State = 0x323132 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [rsguser] (from client 192.168.0.0/16 port 10) WARNING: Empty section. Using default return values. Sending Access-Accept of id 212 to 192.168.10.109 port 50842 Reply-Message = "Access Granted" Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 212 with timestamp +29 Ready to process requests. == When I configure sshd to authenticate using pam radius I get this. It looks like the WiKID is returning "INCORRECT" in response to what radius is sending for the password, even though radius-WiKID communication works when using radtest. This is why I'm focusing on pam-radius. ===PAM RADIUS AUTHENTICATION== rad_recv: Access-Request packet from host 192.168.10.109 port 19567, id=61, length=91 User-Name = "rsguser" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 192.168.10.107 NAS-Identifier = "sshd" NAS-Port = 18542 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "CSID IP ADDRESS -- removed" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] expand: %t -> Tue Aug 23 14:33:10 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "rsguser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "rsguser" [suffix] Adding Realm = "NULL" [suffix] Proxying request from user rsguser to
Re: compiling pam radius module
I didn't think so, just making sure. I'll test more and post the output. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727533.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
This is the output from the compile. Are the messages here anything to be concerned with? [root@csp pam_radius-1.3.17]# make cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1102: warning: assignment from incompatible pointer type cc -Wall -fPIC -c -o md5.o md5.c ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727343.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compiling pam radius module
I am trying to get pam radius module to work but the module does not seem to be encrypting properly. When I test using radtest authentication works, but when attempting a pam authentication the password shows as garbage. I have verified that the shared secret I'm using is the same for both configurations. I will post debug logs shortly. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727149.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth bypass with freeradius/openldap
I don't know why it wasn't working when I posted that last one, I had a message that the port was not authenticated on the client, but the log I posted clearly shows that it matched on the username of the switch since there is an ldap user called admin and the switch admin user is also admin. Admittedly this is not great security, but this is not going to be the case for long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p451.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth bypass with freeradius/openldap
I guess I was too quick to call it, and it looks like the problem is still on the NAS. You will see that the client first gets access using the MAC address as the CSID, but at some point, the client or NAS decieded to re-auth but this time using the IP address that the client had acquired. It's doesn't look like it's associated with the reauthentication period as that is set to 1 hour and the issue occurred within about 10 minutes. I'm pretty sure this has nothing to do with radius and everything to do with my switch config, so sorry if this post is inappropriate. rad_recv: Accounting-Request packet from host 192.168.1.254 port 49154, id=0, length=112 User-Name = "0010182b9065" NAS-IP-Address = 192.168.1.254 NAS-Port = 24 Called-Station-Id = "00-1A-70-8B-2B-8C" Calling-Station-Id = "00-10-18-2B-90-65" Acct-Status-Type = Start Acct-Session-Id = "052D" Acct-Authentic = Local NAS-Port-Type = Ethernet +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 24,Client-IP-Address = 192.168.1.254,NAS-IP-Address = 192.168.1.254,Acct-Session-Id = "052D",User-Name = "0010182b9065"' [acct_unique] Acct-Unique-Session-ID = "42587646b94a35b4". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/detail-20110622 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/detail-20110622 [detail]expand: %t -> Wed Jun 22 09:15:40 2011 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 0010182b9065 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 0010182b9065 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 0 to 192.168.1.254 port 49154 Finished request 7. Cleaning up request 7 ID 0 with timestamp +60184 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.1.254 port 49154, id=0, length=97 User-Name = "admin" NAS-IP-Address = 192.168.1.254 Called-Station-Id = "192.168.1.254" Calling-Station-Id = "192.168.1.118" Acct-Status-Type = Stop Acct-Session-Id = "052C" Acct-Authentic = Local Acct-Session-Time = 1280 Acct-Terminate-Cause = Idle-Timeout +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 192.168.1.254,NAS-IP-Address = 192.168.1.254,Acct-Session-Id = "052C",User-Name = "admin"' [acct_unique] Acct-Unique-Session-ID = "0f743b391350fbbb". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "admin", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/detail-20110622 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/detail-20110622 [detail]expand: %t -> Wed Jun 22 09:25:47 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> admin rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> admin attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 0 to 192.168.1.254 port 49154 Finished request 8. Cleaning up request 8 ID 0 with timestamp +60791 Going to the next request Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514401.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth bypass with freeradius/openldap
The NAS is a Linksys/Cisco SFE2000 switch. There is very little flexibility in how to configure the switch and the documents do not detail how to configure it for 802.1x or mac bypass, other than to say it can do it. The client is a windows system being plugged into a port on the switch. I will say that your reply helped, fixed the problem. The switch manual had no detail on configuration for making it work and I had made the config I thought needed to be made and had one thing out of place. I set the 802.1x authentication method to 'radius'. I changed that to 'none' and it's working. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514243.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC auth bypass with freeradius/openldap
I've been looking at this for a day now and it seems like I'm close, but something is not right. I have a freeradius server with an openldap backend for MAC auth bypass. This system is just for test, but it is an essential first step in my project. I'm using freeradius2-2.1.7-7.el5, freeradius2-ldap-2.1.7-7.el5, openldap-servers-2.3.43-12.el5_6.7, and I am currently using a Cisco labled linksys SFE-2000 switch. Since I have been reading docs and trying different things all day I'm thinking there is something I've just messed up on and overlooked while going over the files. I have tried creating the MAC address in LDAP several ways, as a cn(objectclass=device), as a uid(with and without a password.) Here are the files I've mod'd: ** raddb/modules/ldap: ** ldap { cache = no server = "localhost" identity = "uid=radauth,ou=radius,dc=CSPKRB" password = password basedn = "ou=radius,dc=CSPKRB" filter = "(cn=%{User-Name})" tls { start_tls = no } default_profile = "uid=radauth,ou=radius,dc=CSPKRB" profile_attribute = "radiusProfileDn" access_attr = "cn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = radius_users groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } ** raddb/site-enabed/inner-tunnel: ** server inner-tunnel { authorize { preprocess ldap pap update control { Proxy-To-Realm := LOCAL } } eap { ok = return } } authenticate { Auth-Type PAP { pap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } ** clients.conf ** client localhost { ipaddr = 127.0.0.1 secret = SharedSecret require_message_authenticator = no } client 192.168.0.0/16 { require_message_authenticator = no secret = SharedSecret nastype = other } ** debug output: ** rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0, length=99 NAS-IP-Address = 192.168.1.254 NAS-Port-Type = Ethernet NAS-Port = 24 User-Name = "0010182b9065" Acct-Session-Id = "052B" EAP-Message = 0x021101303031303138326239303635 Message-Authenticator = 0x57f15349b978ec4c8dcdda92f6cc6fed +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20110621 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20110621 [auth_log] expand: %t -> Tue Jun 21 16:38:24 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for 0010182b9065 [ldap] expand: (cn=%{User-Name}) -> (cn=0010182b9065) [ldap] expand: ou=radius,dc=CSPKRB -> ou=radius,dc=CSPKRB rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius,dc=CSPKRB, with filter (cn=0010182b9065) [ldap] checking if remote access for 0010182b9065 is allowed by cn rlm_ldap: performing search in uid=radauth,ou=radius,dc=CSPKRB, with filter (objectclass=radiusprofile) rlm_ldap: object not found [ldap] default_profile/user-profile search failed [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user 0010182b9065 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1
Re: Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code
d'oh! it was SElinux. I had disabled it temporarily, but didn't set it as disabled in /etc/selinux/config so it was blocking the authentication. Phil Mayers wrote: > > On 06/14/2011 09:44 PM, Jimmy wrote: >> I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I >> am trying to configure Freeradius 2.1.7 to authenticate to Kerberos. > > My advice would be to investigate having FreeRADIUS pull the user info > (secrets etc.) direct from LDAP. It'll save your sanity in the long run > (provided the secrets in LDAP are ones FreeRADIUS can make use of) > > But... > >> >> I am having problems getting Freeradiusto authenticate while started >> in daemon mode. When the process is started in debug mode it seems to >> funciton, but authentications while in daemon mode return the error: >> >>> Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied >>> in replay cache code > > So, in debug mode it's fine, but in daemon mode it's giving permission > denied errors as above? That error sounds like it's coming out of the > kerberos libraries, rather than FreeRADIUS. > > Try this: start it up in daemon mode, then use "strace" to record > syscalls: > > strace -o log -p > > ...do a test authentication, then hunt through the log for open() and > write() calls that fail i.e. return -1. That should tell you what file > it's trying to use as a replay cache. Then, fix the permissions so that > the daemon can access that file. > > Also, if you're running an LSM (SELinux, AppArmor) check their logs > (audit.log in the case of SELinux; no idea for AppArmor) to see if it's > a MAC policy, rather than uid/gid-based perms, that's denying it. > > Alternatively, you might be able to disable the replay cache using > entries in /etc/krb5.conf, but you'd have to do a bit of digging. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- View this message in context: http://freeradius.1045715.n5.nabble.com/Auth-rlm-krb5-test1-CSP-BACK-krb5-rd-req-failed-Permission-denied-in-replay-cache-code-tp4489262p4491473.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code
I haven't yet done a test using strace but wanted to add what I did find when I got started this morning. If I attempt to authenticate with the user test1, password `qwer` (the correct password,) I get this response: Wed Jun 15 08:40:19 2011 : Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code *But* if I use the wrong password `qwert` (or anything really) I get this response: Wed Jun 15 08:40:48 2011 : Auth: rlm_krb5: [test1@CSP-BACK] krb5_g_i_t_w_p failed: Decrypt integrity check failed Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Auth-rlm-krb5-test1-CSP-BACK-krb5-rd-req-failed-Permission-denied-in-replay-cache-code-tp4489262p4491109.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html