Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! I have freeradius 1.0.1 on Solaris 9. I have problems authenticating users via Cisco NAS and via Cisco Access Points. The radius config ran under freeradius 0.9.3 without any problem. Here the debug outputs : users file : nutest1 Auth-Type:= Local, User-Password == "geheim" Service-Type = Framed-User, Framed-Protocol = PPP clients.conf client 1.1.1.1 { secret = test123 shortname = test nastype = cisco } First test is with radtest, the second test is via Cisco NAS. Authentication via radtest is accepted, but authentication via NAS is rejected, and I don't know why. nuki02[admin] # radtest nutest1 geheim localhost:1812 1 testing123 Sending Access-Request of id 153 to 127.0.0.1:1812 User-Name = "nutest1" User-Password = "geheim" NAS-IP-Address = nuki02 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153, length=32 Service-Type = Framed-User Framed-Protocol = PPP nuki02[admin] # On Cisco NAS: as5200-ranke01#test aaa group radius nutest1 geheim Attempting authentication test to server-group radius using radius User authentication request was rejected by server. as5200-ranke01# Here now the debug output from the radius server: nuki02[admin] # /opt/NUfreeradius-1.0.1/sbin/radiusd -d /etc/raddb -a /var/log/radius -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type tls rlm_eap: Loaded and initialized type ttls rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Module: Instantiated detail (reply_log) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:35513, id=153, length=49 User-Name = "nutest1" User-Password = "geheim" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Login OK: [nutest1] (from client localhost port 1) Sending Access-Accept of id 153 to 127.0.0.1:35513 Service-Type = Framed-User Framed-Protocol = PPP rad_recv: Access-Request packet from host 193.98.110.136:1645, id=114, length=59 NAS-IP-Address = 193.98.110.136 NAS-Port-Type = Async User-Name = "nutest1" User-Password = "T\324\3701\212\023c\\\375m\211\2061'\312\320" Login incorrect: [nutest1] (from client ranke-test port 0) rad_recv: Access-Request packet from host 193.98.110.136:1645, id=114, length=59 Sending Access-Reject of id 114 to 193.98.110.136:1645 The difference between both acces-request is, which I can see, is that the user-password is different. In the fist test you see the password correctly, in the second something strange. When I increase the debugging level on the radius server, then I see this output : rad_recv: Access-Request packet from host 193.98.110.136:1645, id=113, length=59 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) NAS-IP-Address = 193.98.110.136 NAS-Port-Type = Async User-Name = "nutest1" User-Password = "g\\\202\t\367\010}\215\255\255\225\257\t.G\267" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/ranke-test/auth-detail' rlm_detail: /var/log/radius/%C/auth-detail expands to /var/log/radius/ranke-test/auth-detail modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nutest1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0
RE: Authentication erros on freeradius 1.0.1 on Solaris 9
Here's two hints: > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user The authorize section didn't find the user anywhere (eg in etc/raddb/users file), or anything else to tell it what authentication method to use for the user. And: > Login incorrect: [nutest1] (from client ranke-test port 0) >WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! So, check that the shared secret between the server and the NAS are the same (etc/raddb/clients.conf file). And run the server with the -X (capital X) option to get all the debugging output... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! The authorize section didn't find the user anywhere (eg in etc/raddb/users file), or anything else to tell it what authentication method to use for the user. The problem is not the authorize section. The user got an reject, because in the user-password stand something strange and not the password: User-Password = "g\\\202\t\367\010}\215\255\255\225\257\t.G\267" Perhaps the radius Server is not able to decode the password correctly ? So, check that the shared secret between the server and the NAS are the same (etc/raddb/clients.conf file). And run the server with the -X (capital X) option to get all the debugging output... Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa schrieb: > Believe me, I checked the shared secret one hundred > time. > The shared secret is correct. I still believe that there > is a problem > to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a "bad" linebreak (the infamous windows-like "\r\n" vs. unix-like "\n" ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa schrieb: > Believe me, I checked the shared secret one hundred > time. > The shared secret is correct. I still believe that there > is a problem > to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a "bad" linebreak (the infamous windows-like "\r\n" vs. unix-like "\n" ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! The shared secret is test123. I don't think that this password is a problem. All radius files are edited via "vi" editor. The same config with freeradius 0.9.3 runs without any problems. I don't think that suddenly the Cisco NAS do something other than before with freeradius 0.9.3. Regards, Ahmad [EMAIL PROTECTED] wrote: Ahmad Cheikh Moussa schrieb: Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a "bad" linebreak (the infamous windows-like "\r\n" vs. unix-like "\n" ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa <[EMAIL PROTECTED]> wrote: > The shared secret is test123. I don't think that this > password is a problem. All radius files > are edited via "vi" editor. The same config > with freeradius 0.9.3 runs without any problems. > I don't think that suddenly the Cisco NAS do something > other than before with freeradius 0.9.3. If the User-Password is decrypted to be garbage, then either the shared secret is wrong, or there's a bug in the servers MD5 routines. Try it on another platform, like x86. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! > If the User-Password is decrypted to be garbage, then either the > shared secret is wrong, or there's a bug in the servers MD5 routines. > > Try it on another platform, like x86. freeradius on SuSe 9.1 functions properly. Is it a Solaris Problem ? Is there a patch for ? Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication erros on freeradius 1.0.1 on Solaris 9
I'm on Solaris 9, and I haven't had any problems (touch wood), but I haven't tried it with a real NAS yet either - only test clients (radclient/radtest, NTRadPing on XP, Perl and Python). Just a thought - if it was a problem with Solaris/the server, then wouldn't your radtest test fail also? Have you tried using the same shared secret for localhost and the Cisco? Have you tried a different client on another platform, like NTRadPing for example? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ahmad Cheikh-Moussa > Sent: Monday, 18 October 2004 6:10 AM > To: [EMAIL PROTECTED] > Subject: Re: Authentication erros on freeradius 1.0.1 on Solaris 9 > > Hi! > > > > If the User-Password is decrypted to be garbage, then either the > > shared secret is wrong, or there's a bug in the servers MD5 > routines. > > > > Try it on another platform, like x86. > freeradius on SuSe 9.1 functions properly. > Is it a Solaris Problem ? > Is there a patch for ? > > Regards, > Ahmad > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
On Mon, 18 Oct 2004 10:50 +1000, Mitchell, Michael wrote: > > Just a thought - if it was a problem with Solaris/the server, then > wouldn't your radtest test fail also? Only the radtest/radclient from the failing freeradius/Solaris installation is working. Using this radclient with a working freeradius fails too. It looks like radclient doesn't encrypt the password. With snoop I can see the password in clear! I guess on the radiusd it's the same problem. For requests from a working radclient, pair->flags.encrypt in rad_decode is always 0. As Ahmad already wrote, we are using identical configuration files on both Linux/IA32 and Solaris/Sparc. Only the Linux-version is working. Regards, Klaus -- Klaus Kastens NetUSE AG Dr.-Hell-Straße 6, D-24107 Kiel, Germany Fon: +49 431 2390 400 (07:00 GMT - 15:00 GMT) Fax: +49 431 2390 499 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html