Authenticate as computer - Windows XP
Hi, In IAS we do a policy that contain: host/*.teste.com How I can do this in Freeradius for authenticate computer account, striping the computer name for search in OpenLdap. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Computer Authentication problem
Hi, I have Samba with backend for password's OpenLDAP. I want to know if there is a way to work with realm configuration based on "host/fqdn", example: host/israel.teste.com Conform example, I do search in OpenLdap based in username "uid", that is "israel". If somebody can help me, I will very thanks. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
I will put the test server UP, then I send the configurations files. Thanks for help me. Michael Griego wrote: It will break inside the EAP code, since the EAP code does a sanity check to make sure the EAP Identity matches the User-Name sent by the NAS. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Luis Daniel Lucio Quiroz wrote: why dont you try this modules { ... # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" } } and then authorize { preprocess ... suffix ... } It should work onthe whay that DN it's rewrited Letme know if it works for you Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit : Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
Hi Michael, I will see this with Extreme Networks (Brazil). Thanks for your help. Michael Griego wrote: Talk to your NAS vendor. That's completely insane for a NAS to rewrite the User-Name, not to mention a violation of RFC 3579. --Mike Israel Fabio Alves wrote: Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help - PEAP authentication
Hi, I need help to solve a problem. My configuration work 100% with Switch Cisco 2950. Now I need use Switch from Extreme Networks (Summit 1i), but this Switch sent request to Freeradius with this "[EMAIL PROTECTED]". I think use attr_rewrite to change the request from this "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not find the way to organize the information with attr_rewrite and I do not know if this will work for authentication. Someone have a idea how I solve this. Very thanks. Israel Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP authentication + Windows DOMAIN
rocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded checkval checkval: item-name = "Calling-Station-Id" checkval: check-name = "Calling-Station-Id" checkval: data-type = "string" checkval: notfound-reject = no rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Instantiated checkval (checkval) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/radius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:3183, id=233, length=102 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x02020013014e5452535352565c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x1bbc239dfe037525192df19fbe71c1bb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050406' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050406 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "NTRSSRV" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "NTRSSRV" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm NTRSSRV rlm_realm: Adding Realm = "NTRSSRV" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 6 modcall[authorize]: module "files" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 0.0.0.0 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs modcall[authorize]: module "c
Re: Help with PEAP
Hi, Someone have idea about this problem?? Thanks for help me, Israel. Israel Fabio Alves wrote: Hi, If I do tests without domain, the authentication run OK. If I do tests with user + password + domain, occur the information bellow: tcpdump -n -i eth0 -vv -s 0 -X udp and \( port 1812 or port 1813 \) 19:41:06.403013 172.22.2.32.2064 > 172.22.2.150.1812: [udp sum ok] rad-access-req 98 [id 99] Attr[ [EMAIL PROTECTED] EAP_msg{..} NAS_ipaddr{172.22.2.32} Service_type{Login} Calling_station{0.0.0.0} NAS_port_type{Ethernet} Message_auth{Y[ZLFIb..'.<} ] (ttl 30, id 38919, len 126) 0x 4500 007e 9807 1e11 a785 ac16 0220E..~ 0x0010 ac16 0296 0810 0714 006a 1477 0163 0062.j.w.c.b 0x0020 0ce1 0e32 7afc 2694...2..z...&. 0x0030 010e 6973 7261 656c 4054 4553 5445 4f13[EMAIL PROTECTED] 0x0040 0206 0011 0154 4553 5445 5c69 7372 6165.TESTE\israe 0x0050 6c04 06ac 1602 2006 0600 011f 0930l..0 0x0060 2e30 2e30 2e30 3d06 000f 5012 595b.0.0.0=.P.Y[ 0x0070 dea3 eef7 5a4c 4649 62ef 8327 083c ZLFIb..'.< 19:41:06.410197 172.22.2.150.1812 > 172.22.2.32.2064: [udp sum ok] rad-access-reject 20 [id 99] (DF) (ttl 64, id 0, len 48) 0x 4500 0030 4000 4011 ddda ac16 0296[EMAIL PROTECTED]@... 0x0010 ac16 0220 0714 0810 001c 446d 0363 0014..Dm.c.. 0x0020 8e98 4517 d1fc ace0 55b2 f401 e0da ceae..E.U... /usr/local/radius/sbin/radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:2065, id=86, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "TESTE" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry israel at line 216 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0 modcall: group pre-proxy returns ok for request 0 Sending Access-Request of id 0 to 127.0.0.1:1812 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x0000 Proxy-State = 0x3836 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1814, id=0, length=96 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0xb8f016bb4a4bdd82c395a5f43d058bb1 Proxy-State = 0x3836 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "israel", looking up realm NULL rlm_realm: No
Re: Help with PEAP
Hi, If I do tests without domain, the authentication run OK. If I do tests with user + password + domain, occur the information bellow: tcpdump -n -i eth0 -vv -s 0 -X udp and \( port 1812 or port 1813 \) 19:41:06.403013 172.22.2.32.2064 > 172.22.2.150.1812: [udp sum ok] rad-access-req 98 [id 99] Attr[ [EMAIL PROTECTED] EAP_msg{..} NAS_ipaddr{172.22.2.32} Service_type{Login} Calling_station{0.0.0.0} NAS_port_type{Ethernet} Message_auth{Y[ZLFIb..'.<} ] (ttl 30, id 38919, len 126) 0x 4500 007e 9807 1e11 a785 ac16 0220E..~ 0x0010 ac16 0296 0810 0714 006a 1477 0163 0062.j.w.c.b 0x0020 0ce1 0e32 7afc 2694...2..z...&. 0x0030 010e 6973 7261 656c 4054 4553 5445 4f13[EMAIL PROTECTED] 0x0040 0206 0011 0154 4553 5445 5c69 7372 6165.TESTE\israe 0x0050 6c04 06ac 1602 2006 0600 011f 0930l..0 0x0060 2e30 2e30 2e30 3d06 000f 5012 595b.0.0.0=.P.Y[ 0x0070 dea3 eef7 5a4c 4649 62ef 8327 083c ZLFIb..'.< 19:41:06.410197 172.22.2.150.1812 > 172.22.2.32.2064: [udp sum ok] rad-access-reject 20 [id 99] (DF) (ttl 64, id 0, len 48) 0x 4500 0030 4000 4011 ddda ac16 0296[EMAIL PROTECTED]@... 0x0010 ac16 0220 0714 0810 001c 446d 0363 0014..Dm.c.. 0x0020 8e98 4517 d1fc ace0 55b2 f401 e0da ceae..E.U... /usr/local/radius/sbin/radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:2065, id=86, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "TESTE" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry israel at line 216 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0 modcall: group pre-proxy returns ok for request 0 Sending Access-Request of id 0 to 127.0.0.1:1812 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x0000 Proxy-State = 0x3836 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1814, id=0, length=96 User-Name = "israel" EAP-Message = 0x020700110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0xb8f016bb4a4bdd82c395a5f43d058bb1 Proxy-State = 0x3836 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "israel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "TESTE" returns noop for request 1
Re: Help with PEAP
Hi, I need help to configure Freeradius to authenticate Windows XP users with PEAP + MSCHAPV2. I need authenticate users using the "username + password + domain". There is someone that run this that can help me?? Very thanks, Israel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy PEAP+MSCHAPV2
Hi, Is the FreeRadius Server. Ron Wahler wrote: Is the FreeRadius Server a client of IAS ? Ron. http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Alves Sent: Sunday, January 30, 2005 11:44 AM To: freeradius-users@lists.freeradius.org Subject: Proxy PEAP+MSCHAPV2 Hi, I want to do proxy of users authentication [EMAIL PROTECTED], this is generated with domain login of Windows XP. I configured the freeradius server that receive the request for do proxy to a second server. When I try a connection with Windows XP, I receive the error bellow on the first server, then more bellow, I put the result of second freeradius server: rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y %m% d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "israel TESTE" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323534 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" Proxy-State = 0x323534 Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 Sending Access-Reject of id 254 to 172.22.2.32:1746 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.22.0.47:1814, id=0, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x0195a000df15f453a0effe23b403fb50 Proxy-State = 0x323534 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y %m% d expands to /usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_realm: No ' ' in User-Name = "israel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[
Proxy PEAP+MSCHAPV2
Hi, I want to do proxy of users authentication [EMAIL PROTECTED], this is generated with domain login of Windows XP. I configured the freeradius server that receive the request for do proxy to a second server. When I try a connection with Windows XP, I receive the error bellow on the first server, then more bellow, I put the result of second freeradius server: rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "israel TESTE" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323534 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" Proxy-State = 0x323534 Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 Sending Access-Reject of id 254 to 172.22.2.32:1746 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.22.0.47:1814, id=0, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x0195a000df15f453a0effe23b403fb50 Proxy-State = 0x323534 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_realm: No ' ' in User-Name = "israel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 lengt
Re: proxy problem
radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323534 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" Proxy-State = 0x323534 Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 Sending Access-Reject of id 254 to 172.22.2.32:1746 Extreme-Netlogin-Url = "http://172.22.2.180"; Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" --- Walking the entire request list --- Waking up in 5 seconds... The information bellow is the server that receive de request from Switch and then send to realm TESTE. Debug with the problem. /usr/local/radius/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy
Re: proxy problem
If I do a test, login without domain, only with username and password, the authentication occurs. We can see this information in the files "proxy1.txt" and "realmTESTE1.txt" If someone can help me. Very Thanks. Israel Fabio Alves wrote: The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = n
Re: proxy problem
The file "proxy.txt" is the freeradius that receive de request from Switch. The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files. Dustin Doris wrote: Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X). On Fri, 28 Jan 2005, Israel Fabio Alves wrote: I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirper
Re: proxy problem
I do not know right if is a problem of freeradius, it is possible that is my configuration. When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed. If somebody have information taht help me, I will very happy. Alan DeKok wrote: Israel Fabio Alves <[EMAIL PROTECTED]> wrote: I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. What part of the errors are unclear? Sending Access-Request of id 0 to 172.22.3.69:1812 ... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 The other server rejected the user. Why would you think this is a problem in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy problem
Hi, I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow. If I use the exemple bellow, I authenticate 100%. "israel" User-Password == "xteste", Proxy-To-Realm := TESTE Service-Type = Login, Debug of server that Switch request de authentication: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/loc
Problem - proxy peap + mschapv2
Hi, i need help. I configured freeradius to authenticate users in Openldap using samba password, it's working 100%. Now a configured other freeradius server to route the information of users conform Windows Domain Name, then a configured proxy.conf for this. When I do a test, occurr ther error bellow: " rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP." rad_recv: Access-Request packet from host 172.22.2.32:1520, id=218, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x3bd8b99f86bf11e0fd40509088fac01a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 4 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: group authorize returns updated for request 4 Sending Access-Request of id 4 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x Proxy-State = 0x323138 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=4, length=25 Proxy-State = 0x323138 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 4 modcall[post-proxy]: module "eap" returns noop for request 4 modcall: group post-proxy returns noop for request 4 Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1520, id=218, length=98 Sending Access-Reject of id 218 to 172.22.2.32:1520 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 218 with timestamp 41f12c0d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.22.0.47:1814, id=4, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0xf46be4650830b6c5e442cc2756cf7411 Proxy-State = 0x323138 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value E16089130E8B7BEE87E6FF312E5B8312 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value E42C92D3C5AE8D6AE68AA26A841A86FA & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_passwor
PEAP + OpenLDAP
with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/radius/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x814cfe8 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/openssl/ssl/misc/cert-srv.pem" tls: certificate_file = "/usr/local/openssl/ssl/misc/cert-srv.pem" tls: CA_file = "/usr/local/openssl/ssl/misc/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/openssl/ssl/misc/dh" tls: random_file = "/usr/local/openssl/ssl/misc/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:1237, id=254, length=86 User-Name = "israel" EAP-Message = 0x0232000b0169737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x538884dd8
Re: LDAP, PEAP, Active Directory issue
AP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x814cfe8 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/openssl/ssl/misc/cert-srv.pem" tls: certificate_file = "/usr/local/openssl/ssl/misc/cert-srv.pem" tls: CA_file = "/usr/local/openssl/ssl/misc/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/openssl/ssl/misc/dh" tls: random_file = "/usr/local/openssl/ssl/misc/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:1237, id=254, length=86 User-Name = "israel" EAP-Message = 0x0232000b0169737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x538884dd87995e9d15ae98534ab66abe Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 50 length 11 rlm_eap: No EAP Start, assuming it's an on-g
Re: LDAP, PEAP, Active Directory issue
Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: AJ Grinnell <[EMAIL PROTECTED]> wrote: Ok, I have peap working with the users file and with mysql, and I have radius working with ldap also. But I can not get a user to authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. but peap and ldap should work from what I have read. PEAP is a type of EAP. the debug that I am seeing is very long, so I have included the part where I am seeing an obvious error. The part where is says it doesn't have a password? rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html