Authentication erros on freeradius 1.0.1 on Solaris 9
Hi!
I have freeradius 1.0.1 on Solaris 9. I have problems authenticating
users via Cisco NAS and via Cisco Access Points. The radius config
ran under freeradius 0.9.3 without any problem.
Here the debug outputs :
users file :
nutest1 Auth-Type:= Local, User-Password == "geheim"
Service-Type = Framed-User,
Framed-Protocol = PPP
clients.conf
client 1.1.1.1 {
secret = test123
shortname = test
nastype = cisco
}
First test is with radtest, the second test is via Cisco NAS.
Authentication via radtest is accepted, but authentication
via NAS is rejected, and I don't know why.
nuki02[admin] # radtest nutest1 geheim localhost:1812 1 testing123
Sending Access-Request of id 153 to 127.0.0.1:1812
User-Name = "nutest1"
User-Password = "geheim"
NAS-IP-Address = nuki02
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153, length=32
Service-Type = Framed-User
Framed-Protocol = PPP
nuki02[admin] #
On Cisco NAS:
as5200-ranke01#test aaa group radius nutest1 geheim
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.
as5200-ranke01#
Here now the debug output from the radius server:
nuki02[admin] # /opt/NUfreeradius-1.0.1/sbin/radiusd -d /etc/raddb -a
/var/log/radius -x
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type tls
rlm_eap: Loaded and initialized type ttls
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
Module: Instantiated detail (auth_log)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Module: Instantiated detail (reply_log)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:35513, id=153, length=49
User-Name = "nutest1"
User-Password = "geheim"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Login OK: [nutest1] (from client localhost port 1)
Sending Access-Accept of id 153 to 127.0.0.1:35513
Service-Type = Framed-User
Framed-Protocol = PPP
rad_recv: Access-Request packet from host 193.98.110.136:1645, id=114,
length=59
NAS-IP-Address = 193.98.110.136
NAS-Port-Type = Async
User-Name = "nutest1"
User-Password = "T\324\3701\212\023c\\\375m\211\2061'\312\320"
Login incorrect: [nutest1] (from client ranke-test port 0)
rad_recv: Access-Request packet from host 193.98.110.136:1645, id=114,
length=59
Sending Access-Reject of id 114 to 193.98.110.136:1645
The difference between both acces-request is, which I can see, is
that the user-password is different. In the fist test
you see the password correctly, in the second something
strange.
When I increase the debugging level on the radius server, then
I see this output :
rad_recv: Access-Request packet from host 193.98.110.136:1645, id=113,
length=59
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
NAS-IP-Address = 193.98.110.136
NAS-Port-Type = Async
User-Name = "nutest1"
User-Password = "g\\\202\t\367\010}\215\255\255\225\257\t.G\267"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/ranke-test/auth-detail'
rlm_detail: /var/log/radius/%C/auth-detail expands to
/var/log/radius/ranke-test/auth-detail
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "nutest1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
RE: Authentication erros on freeradius 1.0.1 on Solaris 9
Here's two hints: > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user The authorize section didn't find the user anywhere (eg in etc/raddb/users file), or anything else to tell it what authentication method to use for the user. And: > Login incorrect: [nutest1] (from client ranke-test port 0) >WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! So, check that the shared secret between the server and the NAS are the same (etc/raddb/clients.conf file). And run the server with the -X (capital X) option to get all the debugging output... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! The authorize section didn't find the user anywhere (eg in etc/raddb/users file), or anything else to tell it what authentication method to use for the user. The problem is not the authorize section. The user got an reject, because in the user-password stand something strange and not the password: User-Password = "g\\\202\t\367\010}\215\255\255\225\257\t.G\267" Perhaps the radius Server is not able to decode the password correctly ? So, check that the shared secret between the server and the NAS are the same (etc/raddb/clients.conf file). And run the server with the -X (capital X) option to get all the debugging output... Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa schrieb: > Believe me, I checked the shared secret one hundred > time. > The shared secret is correct. I still believe that there > is a problem > to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a "bad" linebreak (the infamous windows-like "\r\n" vs. unix-like "\n" ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa schrieb: > Believe me, I checked the shared secret one hundred > time. > The shared secret is correct. I still believe that there > is a problem > to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a "bad" linebreak (the infamous windows-like "\r\n" vs. unix-like "\n" ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! The shared secret is test123. I don't think that this password is a problem. All radius files are edited via "vi" editor. The same config with freeradius 0.9.3 runs without any problems. I don't think that suddenly the Cisco NAS do something other than before with freeradius 0.9.3. Regards, Ahmad [EMAIL PROTECTED] wrote: Ahmad Cheikh Moussa schrieb: Believe me, I checked the shared secret one hundred time. The shared secret is correct. I still believe that there is a problem to decode the send password. Which still hints at a bad secret... I don't really know how sensitive your cisco box or even freeradius are in this respect, but checking for whitespace or a "bad" linebreak (the infamous windows-like "\r\n" vs. unix-like "\n" ) at the end of the secret _might_ be an idea. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Ahmad Cheikh Moussa <[EMAIL PROTECTED]> wrote: > The shared secret is test123. I don't think that this > password is a problem. All radius files > are edited via "vi" editor. The same config > with freeradius 0.9.3 runs without any problems. > I don't think that suddenly the Cisco NAS do something > other than before with freeradius 0.9.3. If the User-Password is decrypted to be garbage, then either the shared secret is wrong, or there's a bug in the servers MD5 routines. Try it on another platform, like x86. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! > If the User-Password is decrypted to be garbage, then either the > shared secret is wrong, or there's a bug in the servers MD5 routines. > > Try it on another platform, like x86. freeradius on SuSe 9.1 functions properly. Is it a Solaris Problem ? Is there a patch for ? Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication erros on freeradius 1.0.1 on Solaris 9
I'm on Solaris 9, and I haven't had any problems (touch wood), but I haven't tried it with a real NAS yet either - only test clients (radclient/radtest, NTRadPing on XP, Perl and Python). Just a thought - if it was a problem with Solaris/the server, then wouldn't your radtest test fail also? Have you tried using the same shared secret for localhost and the Cisco? Have you tried a different client on another platform, like NTRadPing for example? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ahmad Cheikh-Moussa > Sent: Monday, 18 October 2004 6:10 AM > To: [EMAIL PROTECTED] > Subject: Re: Authentication erros on freeradius 1.0.1 on Solaris 9 > > Hi! > > > > If the User-Password is decrypted to be garbage, then either the > > shared secret is wrong, or there's a bug in the servers MD5 > routines. > > > > Try it on another platform, like x86. > freeradius on SuSe 9.1 functions properly. > Is it a Solaris Problem ? > Is there a patch for ? > > Regards, > Ahmad > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
On Mon, 18 Oct 2004 10:50 +1000, Mitchell, Michael wrote: > > Just a thought - if it was a problem with Solaris/the server, then > wouldn't your radtest test fail also? Only the radtest/radclient from the failing freeradius/Solaris installation is working. Using this radclient with a working freeradius fails too. It looks like radclient doesn't encrypt the password. With snoop I can see the password in clear! I guess on the radiusd it's the same problem. For requests from a working radclient, pair->flags.encrypt in rad_decode is always 0. As Ahmad already wrote, we are using identical configuration files on both Linux/IA32 and Solaris/Sparc. Only the Linux-version is working. Regards, Klaus -- Klaus Kastens NetUSE AG Dr.-Hell-Straße 6, D-24107 Kiel, Germany Fon: +49 431 2390 400 (07:00 GMT - 15:00 GMT) Fax: +49 431 2390 499 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
