Re: Radius authentication against LDAP question
Cool, thanks for pointing that out. My brain filtered out the '==', been staring at this screen too long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713505.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this: DEFAULT Group="disabled", Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user "newuser" as a member of "newgroup"- performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(memberOf="cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz")(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base with scope subtree # filter: (&(cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Playing with ldapsearch I see that the search string that radiusd -X is reporting to use indeed does not work: =ldapsearch filter (from radiusd -X) performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) = Returns no entries. If I run ldap search with (&(cn=newgroup)(&(objectclass=posixGroup))) - removing the memberUid entry, it returns the entry for the group itself, so something is wrong with how I have the member uid configured. =ldapsearch filter (filter trimmed to group) ldapsearch -x -b cn=accounts,dc=abc,dc=xyz "(&(cn=newgroup)(&(objectclass=posixGroup)))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=newgroup)(&(objectclass=posixGroup))) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
The FAQ gives a *very* basic and less than complete example of using groups. I found an old maillist entry that might be of help here. - http://lists.freeradius.org/pipermail/freeradius-users/2007-June/019764.html I'm trying to do something similar and I'm having trouble getting radius to be able to successfully validate a user as part of a group. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-with-ldap-tp5713478p5713482.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below- ===/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))" ===/etc/raddb/users DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Reply-Message="You are not allowed to connect" ===radiusd -X (excerpt) [files] expand: (&(objectclass=posixGroup)(memberUid=%u)) -> (&(objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius not using /etc/raddb/server
Thanks, Alan. I definitely suspected both of the things you suggest, but I initially installed this system and configured it, so I'm really confused as to how this alternate configuration came to be. I found the rogue configuration in the file /etc/pam_radius.conf . Unless I did that one evening after a few beers and just don't recall, I maintain that I didn't create the file. ;) Thanks again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-radius-not-using-etc-raddb-server-tp5627583p5627834.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius not using /etc/raddb/server
I have a client system that seems to be ignoring changes in the pam_radius config file, /etc/raddb/server. I initially configured the system with a simple shared secret and had it pointed to a test server and now when I change the file /etc/raddb/server the client still talks to the test server instead of the new freeradius server. I even added the test server IP address to the new freeradius server and verified that the client is even still using the old simple shared secret. I've gone as far as completely removing the /etc/raddb/server file and the client continues to use the previous config. What am I missing? The system has been rebooted numerous times. -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-radius-not-using-etc-raddb-server-tp5627583p5627583.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
I'm sure this won't surprise anyone, but the problem had nothing to do with radius. I had only entered the radius module in the pam config for ssh, but I had a kerberos config in the system auth pam config. When I enabled debug for the radius module I saw the kerberos realm info being passed in syslog. I entered the pam-radius module in the system-auth config and everything works. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4730628.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
Using radtest against radius in debug mode it works (output below.) One thing
to note is that this radius server is proxying authentication to a WiKID
server for 2 factor authentication. The password you see here is the one
generated by the software token.
=RADTEST OUTPUT===
rad_recv: Access-Request packet from host 192.168.10.109 port 50842, id=212,
length=59
User-Name = "rsguser"
User-Password = "612315"
NAS-IP-Address = 192.168.10.107
NAS-Port = 10
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] expand: %t -> Tue Aug 23 13:44:29 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "rsguser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "rsguser"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user rsguser to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for rsguser
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=rsguser)
[ldap] expand: dc=remoteservices,dc=CSPKRB -> dc=remoteservices,dc=CSPKRB
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=remoteservices,dc=CSPKRB, with filter
(uid=rsguser)
[ldap] checking if remote access for rsguser is allowed by dialupAccess
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user rsguser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 163 to 192.168.10.108 port 1812
User-Name = "rsguser"
User-Password = "612315"
NAS-IP-Address = 192.168.10.107
NAS-Port = 10
Proxy-State = 0x323132
Proxying request 1 to home server 192.168.10.108 port 1812
Sending Access-Request of id 163 to 192.168.10.108 port 1812
User-Name = "rsguser"
User-Password = "612315"
NAS-IP-Address = 192.168.10.107
NAS-Port = 10
Proxy-State = 0x323132
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.10.108 port 1812, id=163,
length=41
Reply-Message = "Access Granted"
Proxy-State = 0x323132
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [rsguser] (from client 192.168.0.0/16 port 10)
WARNING: Empty section. Using default return values.
Sending Access-Accept of id 212 to 192.168.10.109 port 50842
Reply-Message = "Access Granted"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 212 with timestamp +29
Ready to process requests.
==
When I configure sshd to authenticate using pam radius I get this. It looks
like the WiKID is returning "INCORRECT" in response to what radius is
sending for the password, even though radius-WiKID communication works when
using radtest. This is why I'm focusing on pam-radius.
===PAM RADIUS AUTHENTICATION==
rad_recv: Access-Request packet from host 192.168.10.109 port 19567, id=61,
length=91
User-Name = "rsguser"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 192.168.10.107
NAS-Identifier = "sshd"
NAS-Port = 18542
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "CSID IP ADDRESS -- removed"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] expand: %t -> Tue Aug 23 14:33:10 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "rsguser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "rsguser"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user rsguser to
Re: compiling pam radius module
I didn't think so, just making sure. I'll test more and post the output. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727533.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
This is the output from the compile. Are the messages here anything to be concerned with? [root@csp pam_radius-1.3.17]# make cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1102: warning: assignment from incompatible pointer type cc -Wall -fPIC -c -o md5.o md5.c ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727343.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compiling pam radius module
I am trying to get pam radius module to work but the module does not seem to be encrypting properly. When I test using radtest authentication works, but when attempting a pam authentication the password shows as garbage. I have verified that the shared secret I'm using is the same for both configurations. I will post debug logs shortly. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727149.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth bypass with freeradius/openldap
I don't know why it wasn't working when I posted that last one, I had a message that the port was not authenticated on the client, but the log I posted clearly shows that it matched on the username of the switch since there is an ldap user called admin and the switch admin user is also admin. Admittedly this is not great security, but this is not going to be the case for long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p451.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth bypass with freeradius/openldap
I guess I was too quick to call it, and it looks like the problem is still on
the NAS. You will see that the client first gets access using the MAC
address as the CSID, but at some point, the client or NAS decieded to
re-auth but this time using the IP address that the client had acquired.
It's doesn't look like it's associated with the reauthentication period as
that is set to 1 hour and the issue occurred within about 10 minutes. I'm
pretty sure this has nothing to do with radius and everything to do with my
switch config, so sorry if this post is inappropriate.
rad_recv: Accounting-Request packet from host 192.168.1.254 port 49154,
id=0, length=112
User-Name = "0010182b9065"
NAS-IP-Address = 192.168.1.254
NAS-Port = 24
Called-Station-Id = "00-1A-70-8B-2B-8C"
Calling-Station-Id = "00-10-18-2B-90-65"
Acct-Status-Type = Start
Acct-Session-Id = "052D"
Acct-Authentic = Local
NAS-Port-Type = Ethernet
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 24,Client-IP-Address =
192.168.1.254,NAS-IP-Address = 192.168.1.254,Acct-Session-Id =
"052D",User-Name = "0010182b9065"'
[acct_unique] Acct-Unique-Session-ID = "42587646b94a35b4".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/detail-20110622
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.254/detail-20110622
[detail]expand: %t -> Wed Jun 22 09:15:40 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 0010182b9065
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 0010182b9065
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 0 to 192.168.1.254 port 49154
Finished request 7.
Cleaning up request 7 ID 0 with timestamp +60184
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.1.254 port 49154,
id=0, length=97
User-Name = "admin"
NAS-IP-Address = 192.168.1.254
Called-Station-Id = "192.168.1.254"
Calling-Station-Id = "192.168.1.118"
Acct-Status-Type = Stop
Acct-Session-Id = "052C"
Acct-Authentic = Local
Acct-Session-Time = 1280
Acct-Terminate-Cause = Idle-Timeout
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 192.168.1.254,NAS-IP-Address =
192.168.1.254,Acct-Session-Id = "052C",User-Name = "admin"'
[acct_unique] Acct-Unique-Session-ID = "0f743b391350fbbb".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/detail-20110622
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.254/detail-20110622
[detail]expand: %t -> Wed Jun 22 09:25:47 2011
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> admin
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> admin
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 0 to 192.168.1.254 port 49154
Finished request 8.
Cleaning up request 8 ID 0 with timestamp +60791
Going to the next request
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514401.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth bypass with freeradius/openldap
The NAS is a Linksys/Cisco SFE2000 switch. There is very little flexibility in how to configure the switch and the documents do not detail how to configure it for 802.1x or mac bypass, other than to say it can do it. The client is a windows system being plugged into a port on the switch. I will say that your reply helped, fixed the problem. The switch manual had no detail on configuration for making it work and I had made the config I thought needed to be made and had one thing out of place. I set the 802.1x authentication method to 'radius'. I changed that to 'none' and it's working. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514243.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC auth bypass with freeradius/openldap
I've been looking at this for a day now and it seems like I'm close, but
something is not right. I have a freeradius server with an openldap backend
for MAC auth bypass. This system is just for test, but it is an essential
first step in my project.
I'm using freeradius2-2.1.7-7.el5, freeradius2-ldap-2.1.7-7.el5,
openldap-servers-2.3.43-12.el5_6.7, and I am currently using a Cisco labled
linksys SFE-2000 switch.
Since I have been reading docs and trying different things all day I'm
thinking there is something I've just messed up on and overlooked while
going over the files. I have tried creating the MAC address in LDAP several
ways, as a cn(objectclass=device), as a uid(with and without a password.)
Here are the files I've mod'd:
**
raddb/modules/ldap:
**
ldap {
cache = no
server = "localhost"
identity = "uid=radauth,ou=radius,dc=CSPKRB"
password = password
basedn = "ou=radius,dc=CSPKRB"
filter = "(cn=%{User-Name})"
tls {
start_tls = no
}
default_profile = "uid=radauth,ou=radius,dc=CSPKRB"
profile_attribute = "radiusProfileDn"
access_attr = "cn"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = radius_users
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = no
}
**
raddb/site-enabed/inner-tunnel:
**
server inner-tunnel {
authorize {
preprocess
ldap
pap
update control {
Proxy-To-Realm := LOCAL
}
}
eap {
ok = return
}
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
**
clients.conf
**
client localhost {
ipaddr = 127.0.0.1
secret = SharedSecret
require_message_authenticator = no
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = SharedSecret
nastype = other
}
**
debug output:
**
rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
length=99
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 24
User-Name = "0010182b9065"
Acct-Session-Id = "052B"
EAP-Message = 0x021101303031303138326239303635
Message-Authenticator = 0x57f15349b978ec4c8dcdda92f6cc6fed
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/auth-detail-20110621
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20110621
[auth_log] expand: %t -> Tue Jun 21 16:38:24 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for 0010182b9065
[ldap] expand: (cn=%{User-Name}) -> (cn=0010182b9065)
[ldap] expand: ou=radius,dc=CSPKRB -> ou=radius,dc=CSPKRB
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius,dc=CSPKRB, with filter
(cn=0010182b9065)
[ldap] checking if remote access for 0010182b9065 is allowed by cn
rlm_ldap: performing search in uid=radauth,ou=radius,dc=CSPKRB, with filter
(objectclass=radiusprofile)
rlm_ldap: object not found
[ldap] default_profile/user-profile search failed
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user 0010182b9065 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
Re: Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code
d'oh! it was SElinux. I had disabled it temporarily, but didn't set it as disabled in /etc/selinux/config so it was blocking the authentication. Phil Mayers wrote: > > On 06/14/2011 09:44 PM, Jimmy wrote: >> I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I >> am trying to configure Freeradius 2.1.7 to authenticate to Kerberos. > > My advice would be to investigate having FreeRADIUS pull the user info > (secrets etc.) direct from LDAP. It'll save your sanity in the long run > (provided the secrets in LDAP are ones FreeRADIUS can make use of) > > But... > >> >> I am having problems getting Freeradiusto authenticate while started >> in daemon mode. When the process is started in debug mode it seems to >> funciton, but authentications while in daemon mode return the error: >> >>> Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied >>> in replay cache code > > So, in debug mode it's fine, but in daemon mode it's giving permission > denied errors as above? That error sounds like it's coming out of the > kerberos libraries, rather than FreeRADIUS. > > Try this: start it up in daemon mode, then use "strace" to record > syscalls: > > strace -o log -p > > ...do a test authentication, then hunt through the log for open() and > write() calls that fail i.e. return -1. That should tell you what file > it's trying to use as a replay cache. Then, fix the permissions so that > the daemon can access that file. > > Also, if you're running an LSM (SELinux, AppArmor) check their logs > (audit.log in the case of SELinux; no idea for AppArmor) to see if it's > a MAC policy, rather than uid/gid-based perms, that's denying it. > > Alternatively, you might be able to disable the replay cache using > entries in /etc/krb5.conf, but you'd have to do a bit of digging. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- View this message in context: http://freeradius.1045715.n5.nabble.com/Auth-rlm-krb5-test1-CSP-BACK-krb5-rd-req-failed-Permission-denied-in-replay-cache-code-tp4489262p4491473.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code
I haven't yet done a test using strace but wanted to add what I did find when I got started this morning. If I attempt to authenticate with the user test1, password `qwer` (the correct password,) I get this response: Wed Jun 15 08:40:19 2011 : Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code *But* if I use the wrong password `qwert` (or anything really) I get this response: Wed Jun 15 08:40:48 2011 : Auth: rlm_krb5: [test1@CSP-BACK] krb5_g_i_t_w_p failed: Decrypt integrity check failed Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Auth-rlm-krb5-test1-CSP-BACK-krb5-rd-req-failed-Permission-denied-in-replay-cache-code-tp4489262p4491109.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
