Re: Open+ MAC authentication failed.
Tzvika Gelber wrote: > I created a new user with the MAC address of the client as the user and > password : ... > 00C0CA32A157 Cleartext-Password := "00C0CA32A157" ... > User-Name = "00c0ca32a157" > User-Password = "00c0ca32a157" You do realize that they are different, right? The comparisons in the users file are case-sensitive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Open+ MAC authentication failed.
Hello,
I'm trying to have a WiFi client to be authenticated in the OPEN+MAC method
The AP is already known as a client of the Freeradius and any other form of
Radius authentication i tried worked so far (WPA, WPA2)
I'm using PEAP and the clients are Windows XP (if it makes any difference)
I created a new user with the MAC address of the client as the user and
password :
(this is a none internet connected client)
###this is for OPEN+MAC AUTH
00C0CA32A157 Cleartext-Password := "00C0CA32A157"
###
and i keep getting this error when it's trying to get the IP from the DHCP
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.3 port 55965, id=5,
length=128
User-Name = "00c0ca32a157"
User-Password = "00c0ca32a157"
Calling-Station-Id = "00-C0-CA-32-A1-57"
NAS-IP-Address = 10.10.10.3
Called-Station-Id = "00-18-25-02-11-D2:103-mac"
Service-Type = Framed-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "00c0ca32a157", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 00c0ca32a157
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 5 to 10.10.10.3 port 55965
Waking up in 4.9 seconds.
Cleaning up request 0 ID 5 with timestamp +12
Ready to process requests.
what am i missing? or (however unlikely) freeradius does not support this
type of authentication any more?
Thank you
--
Sometimes you just glow in the dark...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 15/11/12 16:46, Yann R. Moupinda wrote: Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ? It's probably a bug somewhere. Very likely, the wrong data is being fed into the MAC at both ends. Unfortunately, since FreeRADIUS works with *some* EAP-SIM/AKA supplicants, I am guessing there are incompatible implementations out there. You would need to read the SIM/AKA RFCs in detail, and possibly feed the test data into FreeRADIUS to find the bug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys,
i'm still trying to authenticate a EAP SIM Client with
the Freeraduis 3.0.0. By Using the Nokia E51 and E52, the eap-sim
authentication process just stops after the raduis has sent the "
EAP-REQUEST, SIM-CHALLENGE" (containing AT_RAND and AT_MAC) message (see
log info.).
I did some changes in the in the " eapsimlib.c" regarding the AT_IDENTITY by
using the patch 'commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde' but the
result didn't change.
I decided to change the Client. I downloaded and installed
Xsupplicant 2.2.3.553 on my windows XP. This is a software capable to be
used as EAP-SIM Client. I didn't change anything on the server side.
This time Xsupplicant replys with a " EAP-RESPONSE, SIM-CHALLENGE"
(containing AT_MAC) after recieving the " EAP-REQUEST, SIM-CHALLENGE"
(containing AT_RAND and AT_MAC). The Freeradius Server recieves the "
EAP-RESPONSE, SIM-CHALLENGE" (containing AT_MAC), says that the received
MAC doesn't match and breaks the authentication process with a "access
reject"
Here the log messages with Nokia:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19,
length=308
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0)
auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0)
auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0)
suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Found realm "~.*.3gppnetwork.org$"
(0) suffix : Adding Stripped-User-Name = "19017653"
(0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0) [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
EAP-Message = 0x01850014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20,
length=358
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02850058120a0705be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
NAS-Identifier = "MT_Yann"
RE: EAP-SIM authentication failed
Hi guys,
i'm still looking for a solution for the eapsim authentication. Now i use the
Freeradius 3.0.0 and i made some changes in the 'eapsimlib.c' regarding
AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde). I still have the
same problem, the client is able to send two Acces-Request but unable to send
the third Access-Request to close the authentication.
I use a Nokia E52 as supplicant, did anybody realize the test successfully with
another mobile phone (except android phones)?
Does anyone know how i can debug the mobile phone?
any helpfull ideas?
here my debug
radiusd: FreeRADIUS Version 3.0.0 (git #d3c7336), for host i586-pc-linux-gnu,
built on Nov 7 2012 at 14:54:31
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 48077, id=19,
length=308
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02010038013139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x429b263e5293fadbae0a13f28dad2775
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(0) auth_log : expand:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log :
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radiusd/radacct/192.168.10.212/auth-detail-20121108
(0) auth_log : expand: %t -> Thu Nov 8 14:20:05 2012
(0) [auth_log] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Found realm "~.*.3gppnetwork.org$"
(0) suffix : Adding Stripped-User-Name = "19017653"
(0) suffix : Adding Realm = "wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
(0) [sim_files] = ok
(0) eap : EAP packet type response id 1 length 56
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type sim
(0) eap : Underlying EAP-Type set EAP ID to 133
(0) [eap] = handled
Sending Access-Challenge of id 19 to 192.168.10.212 port 48077
EAP-Message = 0x01850014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x077b668807fe746db0e5f555c7ca40d2
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 41383, id=20,
length=358
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017...@wlan.mnc070.mcc901.3gppnetwork.org"
State = 0x077b668807fe746db0e5f555c7ca40d2
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "8253"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-50-00-00-00-00-00-03"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x02850058120a0705be65a474dc99300354fdd97e5176bbc5100100010e0e00333139303137303030303030303036353340776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
Message-Authenticator = 0x07c87b76cd6232ca08dc4529913d5cac
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) auth_log : expand: %{Packet-Src-IP-Address} -> 192.168.10.212
(1) auth_log : expand:
Re: EAP-SIM authentication failed
I have the same problem with Nokia E51 handset. EAP-SIM authentication interrupted by Nokia supplicant. Unfortunately there is no useful diagnostic on the handset. On other hand EAP-SIM authentication succeeds when I use wpa_supplicant on Windows using smart card reader with the same SIM card I've used with Nokia handset. Unfortunately I have neither iPhone nor Windows-based handset to test EAP-SIM against. Yann R. Moupinda wrote: i got the same failure than before: after sending the 2nd access challenge, the server is waiting for the 3rd access request and doesn't get anything --> authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM authentication failed
Hi guys,
Thanks for your help.
After reading your suggestions, i installed a new version of FreeRADIUS
(FreeRADIUS 2.2.1).
I haven't worked with the the patch yet (i'm going to do that later) but, just
to show what i got with the new version 2.2.1 and changing the content of the
simtriplets.dat
1. case : simtriplets.dat looks like following (imsi,rand,sres,kc) (3 different
rand...)
19017653,0123456789abcdef0123456789abcdef,0227bc86,44168f1de9259000
19017653,0123456789abcdef0123456789abcde0,725bb218,25903c082654b400
19017653,0123456789abcdef0123456789abcd18,ed404256,bc871da6ae8edc00
19017653,0123456789abcdef0123456789abcd88,6695bd6e,58788a55e9052000
i got the same failure than before: after sending the 2nd access challenge, the
server is waiting for the 3rd access request and doesn't get anything -->
authentication failed
.
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29,
length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363533
Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
EAP-Message = 0x016c0014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30,
length=287
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
Re: EAP-SIM authentication failed
Didn't you make another fix afterward regarding AT_IDENTITY (commit cfd61d24b99022eb613054bbf7e0da4fa3af1bde)? Not the patch from Microsoft. I know I have to patch the 2.2.0 source in our RPMs with this commit otherwise it fails ;) On 2012-11-06, at 10:15 AM, Alan DeKok wrote: > Phil Mayers wrote: >> Was that after 2.2.0 was released? > > No, before. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Phil Mayers wrote: > Was that after 2.2.0 was released? No, before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 06/11/12 13:34, Francois Gaudreault wrote: Hi, -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work. Was that after 2.2.0 was released? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
Hi, > >> -what should I configure to get more than 2 Access-Request > > You don't. The client is stopping because it thinks something is wrong. > Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug > on the client. You need to also add a patch that has been committed in the 2.1.x branch (I think) post release regarding EAP-SIM. Without it, it will not work. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM authentication failed
On 06/11/12 10:55, Yann R. Moupinda wrote: Hi guys, for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands Upgrade. Some fixes for EAP-SIM went into more recent versions. Access-Request' packets from MIKROTIK router and it also sent two 'Access-Challenge' packets back to the router. It seems the radius is waiting for next requests and then the authentication process just ends up. Yes. The client stops responding, so you need to ask the client what the problem is - but the EAP-SIM fixed might be the cause. so my questions are: -how many request packets are needed to complete the eap-sim authentication? 3, I think. -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication failed
Hi guys,
for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a
Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10
as Radius server. I have added the necessary commands in the clients.conf,
radiusd.conf, eap.conf and default files in order to enable EAP-SIM
Authentication on the FreeRADIUS and I've created a flat file ' simtriplets.dat
' that is used from the Radius during the authentication process.
By trying to access to the Wlan with the mobile phone (Nokia E52), i got the
message that the authentication was unsuccessful. But by looking at the radius
debug file, i cannot recognize any failure or messages like 'Access-Reject'.
The debug file shows that radius got two ' Access-Request' packets from
MIKROTIK router and it also sent two 'Access-Challenge' packets back to the
router. It seems the radius is waiting for next requests and then the
authentication process just ends up.
so my questions are:
-how many request packets are needed to complete the eap-sim authentication?
-what should I configure to get more than 2 Access-Request
here is the content of my debug file:
.
.
.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.212 port 38803, id=29,
length=238
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message = 0x020100150131393031373030303030303030363533
Message-Authenticator = 0xcf4e5f6429686cc260b16bd23d82489f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 108
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.10.212 port 38803
EAP-Message = 0x016c0014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.212 port 50478, id=30,
length=287
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "19017653"
State = 0x870e2a6987623891aa6e49c2b1bcc9b6
NAS-Port-Id = "ap_hotspot"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "822e"
Acct-Multi-Session-Id =
"00-0C-42-64-41-9D-A8-7E-33-3E-9C-5B-82-20-00-00-00-00-00-0E"
Calling-Station-Id = "A8-7E-33-3E-9C-5B"
Called-Station-Id = "00-0C-42-64-41-9D:YANN"
EAP-Message =
0x026c0034120a0705c27cfb1cfa7a257c9c89796e49bca230100100010e05001031393031373030303030303030363533
Message-Authenticator = 0xc691af8b618d9da88f9e289557530f6f
NAS-Identifier = "MT_Yann"
NAS-IP-Address = 192.168.10.212
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
rlm_sim_files: authorized user/imsi 19017653
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "19017653", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 52
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/defau
Re: ssh authentication failed problem use freeradius & pam_radius
On Thu, May 24, 2012 at 9:44 PM, sam wrote: > The pam_radius_auth module is installed on linux, and if the user-A is not > created in local and only existed in remote radius server. > In following function() in pam_radius_auth.c, the *password always is > INCORRECT That is the expected behavior. For pam to work, the user needs to exist in whatever user db it recognize (in this case, local user). > Not familiar with this module, can anybody give some instrutions? Had you read the previous messages, you'd know that if you want to modify something, it'd be in pam, and NOT in pam_radius plugin. Possibly by using nss_mysql and getting it to use the same data that FR is using (with the help of views, or whatever). But since you decide to ignore it anyway and insist on focusing your efforts on pam_radius_auth.c, you're pretty much on your own. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius & pam_radius
The pam_radius_auth module is installed on linux, and if the user-A is not
created in local and only existed in remote radius server.
In following function() in pam_radius_auth.c, the *password always is
INCORRECT
+code+
static int rad_converse(pam_handle_t *pamh, int msg_style, char *message,
char **password)
{
CONST struct pam_conv *conv;
struct pam_message resp_msg;
CONST struct pam_message *msg[1];
struct pam_response *resp = NULL;
int retval;
resp_msg.msg_style = msg_style;
resp_msg.msg = message;
msg[0] = &resp_msg;
/* grab the password */
retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv);
PAM_FAIL_CHECK;
retval = conv->conv(1, msg, &resp,conv->appdata_ptr); < it seems the
resp is saved some useful info.
PAM_FAIL_CHECK;
if (password) { /* assume msg.type needs a response */
/* I'm not sure if this next bit is necessary on Linux */
_pam_log(LOG_ERR, "enter in");
#ifdef sun
/* NULL response, fail authentication */
if ((resp == NULL) || (resp->resp == NULL)) {
return PAM_SYSTEM_ERR;
}
#endif
*password = resp->resp; <<<< saved the retrun value to *password.
(value is INCORRECT)
free(resp);
}
return PAM_SUCCESS;
}
+code+
Not familiar with this module, can anybody give some instrutions?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-pam-radius-tp5687733p5713359.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius & pam_radius
Is there anyone to contribute this fix? -- View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-pam-radius-tp5687733p5713353.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius & pam_radius
wrote: >> This is an issue with PAM on the client machine. Some other module is > doing password checking. When the password check fails, it re-sets the > password to "INCORRECT". That password is then sent to the pam_radius > module. > Go fix the client so that the PAM modules don't change the password. > > > My /etc/pam.d/sshd file contains the following settings: I had a similar problem today. PAM considered the user illegal because the uid in question was unknown on the machine to be accessed by ssh. Adding the user locally was required anyway, I had forgotten that on that particular machine, there are only local accounts. HTH (and thanx to Alan) Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. MarburgFax:+49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pa...@hrz.uni-marburg.de D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius & pam_radius
Hello,Alan. Thank you for you response. Alan wrote: > This is an issue with PAM on the client machine. Some other module is doing password checking. When the password check fails, it re-sets the password to "INCORRECT". That password is then sent to the pam_radius module. Go fix the client so that the PAM modules don't change the password. My /etc/pam.d/sshd file contains the following settings: -bash-3.2# cat sshd #%PAM-1.0 auth sufficient pam_radius_auth.so debug auth include system-auth accountsufficient pam_radius_auth.so accountrequired pam_nologin.so accountinclude system-auth password sufficient pam_radius_auth.so password include system-auth sessionsufficient pam_radius_auth.so sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius & pam_radius
小牧 wrote: > I am trying to use pam_radius to authenticate SSH login.My system is > Centos 5.6 64bit. > When I try to authenticate with ssh but failed,I am sure the shared > secret is correct. The shared secret is correct. > [pap] login attempt with password "? INCORRECT" This is an issue with PAM on the client machine. Some other module is doing password checking. When the password check fails, it re-sets the password to "INCORRECT". That password is then sent to the pam_radius module. Go fix the client so that the PAM modules don't change the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ssh authentication failed problem use freeradius & pam_radius
Hi everyone,
I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6
64bit.
When I try to authenticate with ssh but failed,I am sure the shared secret is
correct.
Freeradius got the following logs:
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password ""
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password.Double-check the shared
secret on the server and the NAS!
Using Post-Auth-Type Reject
And by the way,is it possible to create a ssh user on NAS after the first time
successful authentication.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
Thank you for your help ! I changed my client and it works fine now :) 2011/5/5 Phil Mayers > On 05/05/11 12:12, Khalid Staili wrote: > >> but in the wpa supplicant configuration file, I mentionned the path of >> the same CA in the server. >> > > The problem is at the client, so you need to debug the client. > > I suggest you run wpa_supplicant in debugging mode and examine the result. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
On 05/05/11 12:12, Khalid Staili wrote: but in the wpa supplicant configuration file, I mentionned the path of the same CA in the server. The problem is at the client, so you need to debug the client. I suggest you run wpa_supplicant in debugging mode and examine the result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
but in the wpa supplicant configuration file, I mentionned the path of the same CA in the server. Is this logic ? 2011/5/4 Alan Buxey > hi, > > looks like your client is trying to use the wrong CA as > part of the authentication. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
hi, looks like your client is trying to use the wrong CA as part of the authentication. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
I think the configuration is correct, because I have an Access-Accept when I use an eapol_test to test my server locally (localhost client). But when I use wpa_supplicant with the same configuration in an other host using ubuntu 10.10, I have the error I have mentionned. 2011/5/4 Phil Mayers > On 05/04/2011 08:27 PM, Khalid Staili wrote: > >> I am using freeradius in a wired network. Th authentication protocol I'm >> using is PEAP. >> I have configured the server like described in many different sites, but >> I have a problem. This is the debug output I have : >> > > Most "sites on the internet" are wrong. Ignore them. > > Follow the instructions on the FreeRADIUS site. > > > > [peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error >> TLS Alert read:fatal:decrypt error >> TLS_accept:failed in SSLv3 read client certificate A >> rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 >> alert decrypt error >> SSL: SSL_read failed inside of TLS (-1), TLS session fails. >> TLS receive handshake failed during operation >> > > Yikes. > > What is the client? > > It looks like you've got broken crypto somehow. Are you sure you haven't > mangled your certificate & key? > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
On 05/04/2011 08:27 PM, Khalid Staili wrote: I am using freeradius in a wired network. Th authentication protocol I'm using is PEAP. I have configured the server like described in many different sites, but I have a problem. This is the debug output I have : Most "sites on the internet" are wrong. Ignore them. Follow the instructions on the FreeRADIUS site. [peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation Yikes. What is the client? It looks like you've got broken crypto somehow. Are you sure you haven't mangled your certificate & key? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP-PEAP] PEAP Authentication failed
I am using freeradius in a wired network. Th authentication protocol I'm
using is PEAP.
I have configured the server like described in many different sites, but I
have a problem. This is the debug output I have :
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=192,
length=204
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "kskhaled"
User-Name = "kskhaled"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-1f-fe-02-58-80"
Calling-Station-Id = "00-26-55-b7-7c-bf"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x02ad016b736b68616c6564
Message-Authenticator = 0x74cb8a1036cbc1836786bc29d6d0f75e
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 160 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 192 to 192.168.0.1 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "22"
EAP-Message = 0x01a100061920
Message-Authenticator = 0x
State = 0x5a2fd5015a8ecc31b9ba37ff7858d5ab
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=193,
length=314
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "kskhaled"
User-Name = "kskhaled"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-1f-fe-02-58-80"
Calling-Station-Id = "00-26-55-b7-7c-bf"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x5a2fd5015a8ecc31b9ba37ff7858d5ab
EAP-Message =
0x02a100691980005f160301005a015603014dc19e9f979a3af96e33b19d0c62732513034307abf20b2a001cf13bda8125ab2800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff0201040023
Message-Authenticator = 0x27bfd0a5516047d0700ade8abfb74e62
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 161 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0615], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 193 to 192.168.0.1 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "22"
EAP-Message =
0x01a2040019c0076f1603010035023103014dc19e9fcc1c052070b54096a0918e33a7adb2f7d48503cf2305061f12f94cb539010009ff0100012316030106150b00061100060e00025f3082025b308201c4020101300d06092a864886f70d0101040500308194310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b733129302706092a864886f70d010901161a6672656572616469757340656e73692d626f75726765732e66723110300e06035504071307426f75726765733110300e06035504081307426f7572676573310b3009060355040613024652311330110603550403130a667265
EAP-Message =
0x65726164697573301e170d3131303530323230343135385a170d3132303530313230343135385a3057310b30090603550406130246523110300e06035504081307426f7572676573310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b73311330110603550403130a6672656572616469757330819f300d06092a864886f70d010101
RE: LDAP authentication failed
wow. hey now it's working with both OS ;-) . thx for your hint, nt_hack was missing. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3232899.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP authentication failed
2 things:
1) near the bottom of the debug output there is a line that's says you
are passing the username as domain\user, and it asks if you have enabled
the with NT domain hack option?Check your mschap module config to
see if this is enabled, it is commented out by default. You can check
the complete debug output that includes the server initializing and you
can see it there IF it is enabled.
2) I gave up on PEAP/MSCHAPv2 on linux, EAP/TTLS works great for me with
no other config tweaks after I got the windows clients working! If
there is not a super important requirement to use the same authorization
on both platforms you could do the same, just an idea.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of snowman5840
Sent: Friday, October 22, 2010 11:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP authentication failed
ok I found my problem. I have forgotten to add my domain in the
proxy.conf, after I have done this ldap search works fine.
but know I have one more problem with authentification. I want to use
peap with mschap to support both windows und linux systems. But
authentification fails. I don't know what i have to configure or where
is the problem. I would be very happy about some hints.
I'm sorry about the very long debug output
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86,
length=149
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = "FIRMA1\\usera"
Called-Station-Id = "00-15-F9-D8-7C-C6"
Calling-Station-Id = "00-1A-4B-63-69-0B"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554175bfc9edc831547521be2ad
EAP-Message = 0x020300061900
Message-Authenticator = 0xfb650903c7207e001d0385d8a036
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log] expand: %t -> Fri Oct 22 18:32:40 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap]
processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK
[peap] ACK handshake fragment handler [peap] eaptls_verify returned 1
[peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 86 to 192.168.0.2 port 1812
EAP-Message =
0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea
4c9280acd2686fd194f216030100040e00
Message-Authenticator = 0x
State = 0x1558e554165cfc9edc831547521be2ad
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87,
length=465
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = "FIRMA1\\usera"
Called-Station-Id = "00-15-F9-D8-7C-C6"
Calling-Station-Id = "00-1A-4B-63-69-0B"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554165cfc9edc831547521be2ad
EAP-Message =
0x0204014019800136160301010611020100626313e9c274f169e9ed94821e91
d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c
1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de461
6926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8
ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea758844
7853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611
ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561
371c
EAP-Message =
0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a61403010001011603010020
4c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d
Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461
+- entering group authorize {...}
++[preprocess] re
Re: LDAP authentication failed
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = "FIRMA1\\usera"
Called-Station-Id = "00-15-F9-D8-7C-C6"
Calling-Station-Id = "00-1A-4B-63-69-0B"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e5541250fc9edc831547521be2ad
EAP-Message =
0x020800261900170301001bd0e5d1e8905737296a8cc3e900996439f0cf0a79a1254ecc7514a1
Message-Authenticator = 0xac386bf0ee6044841d403e1ac7a8dea3
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log] expand: %t -> Fri Oct 22 18:32:41 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [usera/] (from client TESTSW01 port
50006 cli 00-1A-4B-63-69-0B)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> FIRMA1\usera
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 14 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 14
Sending Access-Reject of id 91 to 192.168.0.2 port 1812
EAP-Message = 0x04080004
Message-Authenticator = 0x
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3232594.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication failed
Hi thx for this hint.
I have activated realm ntdomain modul but ldap search dosen't work?? Maybe
my used filter is wrong?
Debug:
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] No such realm "FIRMA1"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for FIRMA1\usera
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> FIRMA1\5cusera
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=FIRMA1\5cusera)
[ldap] expand: dc=firma1,dc=de -> dc=firma1,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=firma1,dc=de, with filter
(uid=FIRMA1\5cusera)
[ldap] object not found
[ldap] search failed
realm:
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3219086.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication failed
hi, you need to use the ntdomain module and ensure that the \\ method is enabled. (check the realm module section) this will then populate stripped-user-name with just the username and not also have the hostname or domain name lurking around. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication failed
Hi
i have some problems with LDAP authentication. If I login on my windows xp
sp3 client i want to check die login credentials against my LDAP service.
But the xp client uses doubleslashs in the username!! I think this will be
the problem!? If I test with radtest it works. What can i do to succecsful
login?
Debug log:
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=62,
length=240
NAS-IP-Address = 192.168.0.2
NAS-Port = 50009
NAS-Port-Type = Ethernet
User-Name = "FIRMA1\\usera"
Called-Station-Id = "00-15-F9-D8-7C-C9"
Calling-Station-Id = "00-1A-4B-63-69-0B"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xc5fe953bc3f98c0b9575e677705364e2
EAP-Message =
0x0207006119001703010056b327be51594f6985d1854f17199fefe7151d57481c244787051f7067a50a0056a15e0a831a3aa3661a61aeed66e3c7dc85cd3315301bfd825c786fd60e0110f5124e76e2d543c9a6fd99371be7f1a9637b8ce527669f
Message-Authenticator = 0xad6e1b5107c7af4b9a5ba3e648d65859
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "FIRMA1\usera", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 74
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for FIRMA1\usera
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> FIRMA1\5cusera
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=FIRMA1\5cusera)
[ldap] expand: dc=firma1,dc=de -> dc=firma1,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=firma1,dc=de, with filter
(uid=FIRMA1\5cusera)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
Configuration part of LDAP module:
ldap {
server = "192.168.0.5"
identity = "cn=admin,dc=firma1,dc=de"
password = ""
basedn = "dc=firma1,dc=de"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
..
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3217861.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Failed
Hi I had just checked my Proxim AP 700 and it seems to report that Radius Server not responding but i have already configured teh Radius Server Profiles and IP address in the AP What shoud i do Devinder 2010/1/20 Devinder Singh > Hi Ivan, > > I created the certificates basd on the README file in etc/raddb and copied > ca.der and client.p12 to Windows XP > > I also also made changed to the Makefile which runs on XP but when i > connect to the SSID i get authentication failde and the radius does not seem > to get any response from the Proxim AP. > > > > -- > Devinder > -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Failed
Hello
I have followed the procedures to create EAP certificates in etc/raddb/certs
but when i copy the ca.der and client.P12 my windows XP cannot seem to
authenticate to the radisu Server.
I can se a small baloon appearing on xp stating failed to authenticate on
palstaff.
My Proxim AP reports Radius Server Error but i have already set the Radius
Server IP address in the Proxim AP.
I have also updated my make file as below to allow XP clients to
authenticate
##
#
# Create a new client certificate, signed by the the above server
# certificate.
#
##
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config
./client.cnf
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
$(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
and redo the certificates.
Please need help on this
Regards
Devinder
2010/1/20 Devinder Singh
> After i had restarted my XP
>
> i get to see Windows was unable to log you on to palstaff.
>
>
> palstaff is my sssid
>
>
> Devinder
>
>
> 2010/1/20 Devinder Singh
>
>> When i click on my SSID i get authentication failed. The Proxim AP reports
>> Radius not connected and i dont get to see any reply on Radius Server
>>
>>
>>
>> 2010/1/20 Devinder Singh
>>
>>> ##
>>> #
>>> # Create a new client certificate, signed by the the above server
>>> # certificate.
>>> #
>>> ##
>>> client.csr client.key: client.cnf
>>> openssl req -new -out client.csr -keyout client.key -config
>>> ./client.cnf
>>>
>>> client.crt: client.csr ca.pem ca.key index.txt serial
>>> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
>>> -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
>>> xpextensions -config ./client.cnf
>>>
>>> client.p12: client.crt
>>> openssl pkcs12 -export -in client.crt -inkey client.key -out
>>> client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>>
>>> client.pem: client.p12
>>> openssl pkcs12 -in client.p12 -out client.pem -passin
>>> pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>> cp client.pem $(USER_NAME).pem
>>>
>>> .PHONY: server.vrfy
>>> client.vrfy: ca.pem client.pem
>>> c_rehash .
>>> openssl verify -CApath . client.pem
>>>
>>>
>>>
>>> 2010/1/20 Devinder Singh
>>>
>>>> Hi Ivan,
>>>>
>>>> I cant seem to authenticate my Windows XP client using EAP
>>>> authentication. I have folllowed the steps in /etc/raddb/certs
>>>>
>>>> This is my radius start up
>>>> Module: Instantiating
>>>> eap-tls
>>>>tls
>>>> {
>>>>
>>>> rsa_key_exchange =
>>>> no
>>>> dh_key_exchange =
>>>> yes
>>>> rsa_key_length =
>>>> 512
>>>> dh_key_length =
>>>> 512
>>>> verify_depth =
>>>> 0
>>>> pem_file_type =
>>>> yes
>>>> private_key_file =
>>>> "/etc/raddb/certs/server.pem"
>>>> certificate_file =
>>>> "/etc/raddb/certs/server.pem"
>>>> CA_file =
>>>> "/etc/raddb/certs/ca.pem"
>>>> private_key_password =
>>>> "myettelap"
>>>> dh_file =
>>>> "/etc/raddb/certs/dh"
>>>> random_file =
>>>> "/etc/raddb/certs/random"
>>>> fragment_size =
>>>
Re: Authentication Failed
After i had restarted my XP
i get to see Windows was unable to log you on to palstaff.
palstaff is my sssid
Devinder
2010/1/20 Devinder Singh
> When i click on my SSID i get authentication failed. The Proxim AP reports
> Radius not connected and i dont get to see any reply on Radius Server
>
>
>
> 2010/1/20 Devinder Singh
>
>> ##
>> #
>> # Create a new client certificate, signed by the the above server
>> # certificate.
>> #
>> ##
>> client.csr client.key: client.cnf
>> openssl req -new -out client.csr -keyout client.key -config
>> ./client.cnf
>>
>> client.crt: client.csr ca.pem ca.key index.txt serial
>> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
>> -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
>> xpextensions -config ./client.cnf
>>
>> client.p12: client.crt
>> openssl pkcs12 -export -in client.crt -inkey client.key -out
>> client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>
>> client.pem: client.p12
>> openssl pkcs12 -in client.p12 -out client.pem -passin
>> pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>> cp client.pem $(USER_NAME).pem
>>
>> .PHONY: server.vrfy
>> client.vrfy: ca.pem client.pem
>> c_rehash .
>> openssl verify -CApath . client.pem
>>
>>
>>
>> 2010/1/20 Devinder Singh
>>
>>> Hi Ivan,
>>>
>>> I cant seem to authenticate my Windows XP client using EAP
>>> authentication. I have folllowed the steps in /etc/raddb/certs
>>>
>>> This is my radius start up
>>> Module: Instantiating
>>> eap-tls
>>>tls
>>> {
>>>
>>> rsa_key_exchange =
>>> no
>>> dh_key_exchange =
>>> yes
>>> rsa_key_length =
>>> 512
>>> dh_key_length =
>>> 512
>>> verify_depth =
>>> 0
>>> pem_file_type =
>>> yes
>>> private_key_file =
>>> "/etc/raddb/certs/server.pem"
>>> certificate_file =
>>> "/etc/raddb/certs/server.pem"
>>> CA_file =
>>> "/etc/raddb/certs/ca.pem"
>>> private_key_password =
>>> "myettelap"
>>> dh_file =
>>> "/etc/raddb/certs/dh"
>>> random_file =
>>> "/etc/raddb/certs/random"
>>> fragment_size =
>>> 1024
>>> include_length =
>>> yes
>>> check_crl =
>>> no
>>> cipher_list =
>>> "DEFAULT"
>>> make_cert_command =
>>> "/etc/raddb/certs/bootstrap"
>>> cache
>>> {
>>>
>>> enable =
>>> no
>>> lifetime =
>>> 24
>>> max_entries =
>>> 255
>>>
>>> }
>>>
>>>
>>> }
>>>
>>> Module: Linked to sub-module
>>> rlm_eap_ttls
>>> Module: Instantiating
>>> eap-ttls
>>>ttls
>>> {
>>>
>>> default_eap_type =
>>> "md5"
>>> copy_request_to_tunnel =
>>> no
>>> use_tunneled_reply =
>>> no
>>> virtual_server =
>>> "inner-tunnel"
>>>
>>> }
>>>
>>> Module: Linked to sub-module
>>> rlm_eap_peap
>>> Module: Instantiating
>>> eap-peap
>>>peap
>>> {
>>>
>>> default_eap_type =
>>> "mschapv2"
>>> copy_request_to_tunnel =
>>> no
>>> use_tunneled_reply =
>>> no
>>> proxy_tunneled_request_as_eap =
>>> yes
>>> virtual_server =
>>> "inner-tunnel"
>>>
>>> }
>>>
>>> Module: Linked to sub-module
>>> rlm_eap_mschapv2
>>> Module: Instantiating
>>> eap-mschapv2
>>>mschapv2
>>> {
>>>
>>> with_ntdomain_hack =
>>> no
>>>
>>> }
>>>
>>> Module: Checking authorize {...} for more modules to
>>> load
>>> Module: Linked to module
>>> rlm_realm
>>> Module: Instantiating
Re: Authentication Failed
When i click on my SSID i get authentication failed. The Proxim AP reports
Radius not connected and i dont get to see any reply on Radius Server
2010/1/20 Devinder Singh
> ##
> #
> # Create a new client certificate, signed by the the above server
> # certificate.
> #
> ##
> client.csr client.key: client.cnf
> openssl req -new -out client.csr -keyout client.key -config
> ./client.cnf
>
> client.crt: client.csr ca.pem ca.key index.txt serial
> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
> $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
> xpextensions -config ./client.cnf
>
> client.p12: client.crt
> openssl pkcs12 -export -in client.crt -inkey client.key -out
> client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>
> client.pem: client.p12
> openssl pkcs12 -in client.p12 -out client.pem -passin
> pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
> cp client.pem $(USER_NAME).pem
>
> .PHONY: server.vrfy
> client.vrfy: ca.pem client.pem
> c_rehash .
> openssl verify -CApath . client.pem
>
>
>
> 2010/1/20 Devinder Singh
>
>> Hi Ivan,
>>
>> I cant seem to authenticate my Windows XP client using EAP authentication.
>> I have folllowed the steps in /etc/raddb/certs
>>
>> This is my radius start up
>> Module: Instantiating
>> eap-tls
>>tls
>> {
>>
>> rsa_key_exchange =
>> no
>> dh_key_exchange =
>> yes
>> rsa_key_length =
>> 512
>> dh_key_length =
>> 512
>> verify_depth =
>> 0
>> pem_file_type =
>> yes
>> private_key_file =
>> "/etc/raddb/certs/server.pem"
>> certificate_file =
>> "/etc/raddb/certs/server.pem"
>> CA_file =
>> "/etc/raddb/certs/ca.pem"
>> private_key_password =
>> "myettelap"
>> dh_file =
>> "/etc/raddb/certs/dh"
>> random_file =
>> "/etc/raddb/certs/random"
>> fragment_size =
>> 1024
>> include_length =
>> yes
>> check_crl =
>> no
>> cipher_list =
>> "DEFAULT"
>> make_cert_command =
>> "/etc/raddb/certs/bootstrap"
>> cache
>> {
>>
>> enable =
>> no
>> lifetime =
>> 24
>> max_entries =
>> 255
>>
>> }
>>
>>
>> }
>>
>> Module: Linked to sub-module
>> rlm_eap_ttls
>> Module: Instantiating
>> eap-ttls
>>ttls
>> {
>>
>> default_eap_type =
>> "md5"
>> copy_request_to_tunnel =
>> no
>> use_tunneled_reply =
>> no
>> virtual_server =
>> "inner-tunnel"
>>
>> }
>>
>> Module: Linked to sub-module
>> rlm_eap_peap
>> Module: Instantiating
>> eap-peap
>>peap
>> {
>>
>> default_eap_type =
>> "mschapv2"
>> copy_request_to_tunnel =
>> no
>> use_tunneled_reply =
>> no
>> proxy_tunneled_request_as_eap =
>> yes
>> virtual_server =
>> "inner-tunnel"
>>
>> }
>>
>> Module: Linked to sub-module
>> rlm_eap_mschapv2
>> Module: Instantiating
>> eap-mschapv2
>>mschapv2
>> {
>>
>> with_ntdomain_hack =
>> no
>>
>> }
>>
>> Module: Checking authorize {...} for more modules to
>> load
>> Module: Linked to module
>> rlm_realm
>> Module: Instantiating
>> suffix
>> realm suffix
>> {
>> format =
>> "suffix"
>> delimiter =
>> "@"
>> ignore_default =
>> no
>> ignore_null =
>> no
>>
>> }
>>
>> Module: Linked to module
>> rlm_files
>> Module: Instantiating
>> files
>> files
>> {
>>
>> usersfile =
>> "/etc/raddb/users"
>> acctusersfile =
>> "/etc/raddb/acct_users"
>> preproxy_usersfile =
>> "/etc/raddb/preproxy_users"
>> compat =
>> "no"
>>
>> }
>>
>> Module: Checkin
Re: Authentication Failed
##
#
# Create a new client certificate, signed by the the above server
# certificate.
#
##
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config
./client.cnf
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
$(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
2010/1/20 Devinder Singh
> Hi Ivan,
>
> I cant seem to authenticate my Windows XP client using EAP authentication.
> I have folllowed the steps in /etc/raddb/certs
>
> This is my radius start up
> Module: Instantiating
> eap-tls
>tls
> {
>
> rsa_key_exchange =
> no
> dh_key_exchange =
> yes
> rsa_key_length =
> 512
> dh_key_length =
> 512
> verify_depth =
> 0
> pem_file_type =
> yes
> private_key_file =
> "/etc/raddb/certs/server.pem"
> certificate_file =
> "/etc/raddb/certs/server.pem"
> CA_file =
> "/etc/raddb/certs/ca.pem"
> private_key_password =
> "myettelap"
> dh_file =
> "/etc/raddb/certs/dh"
> random_file =
> "/etc/raddb/certs/random"
> fragment_size =
> 1024
> include_length =
> yes
> check_crl =
> no
> cipher_list =
> "DEFAULT"
> make_cert_command =
> "/etc/raddb/certs/bootstrap"
> cache
> {
>
> enable =
> no
> lifetime =
> 24
> max_entries =
> 255
>
> }
>
>
> }
>
> Module: Linked to sub-module
> rlm_eap_ttls
> Module: Instantiating
> eap-ttls
>ttls
> {
>
> default_eap_type =
> "md5"
> copy_request_to_tunnel =
> no
> use_tunneled_reply =
> no
> virtual_server =
> "inner-tunnel"
>
> }
>
> Module: Linked to sub-module
> rlm_eap_peap
> Module: Instantiating
> eap-peap
>peap
> {
>
> default_eap_type =
> "mschapv2"
> copy_request_to_tunnel =
> no
> use_tunneled_reply =
> no
> proxy_tunneled_request_as_eap =
> yes
> virtual_server =
> "inner-tunnel"
>
> }
>
> Module: Linked to sub-module
> rlm_eap_mschapv2
> Module: Instantiating
> eap-mschapv2
>mschapv2
> {
>
> with_ntdomain_hack =
> no
>
> }
>
> Module: Checking authorize {...} for more modules to
> load
> Module: Linked to module
> rlm_realm
> Module: Instantiating
> suffix
> realm suffix
> {
> format =
> "suffix"
> delimiter =
> "@"
> ignore_default =
> no
> ignore_null =
> no
>
> }
>
> Module: Linked to module
> rlm_files
> Module: Instantiating
> files
> files
> {
>
> usersfile =
> "/etc/raddb/users"
> acctusersfile =
> "/etc/raddb/acct_users"
> preproxy_usersfile =
> "/etc/raddb/preproxy_users"
> compat =
> "no"
>
> }
>
> Module: Checking session {...} for more modules to
> load
> Module: Linked to module
> rlm_radutmp
> Module: Instantiating
> radutmp
> radutmp
> {
>
> filename =
> "/var/log/radius/radutmp"
> username =
> "%{User-Name}"
> case_sensitive =
> yes
> check_with_nas =
> yes
> perm =
> 384
> callerid =
> yes
>
> }
>
> Module: Checking post-proxy {...} for more modules to
> load
> Module: Checking post-auth {...} for more modules to
> load
> Module: Linked to module
> rlm_attr_filter
> Module: Instantiating
> attr_filter.access_reject
> attr_filter attr_filter.access_reject
> {
> attrsfile =
> "/etc/raddb/attrs.access_reject"
> key =
> "%{User-Name}"
>
> }
>
> }
>
> }
>
> modules
> {
>
> Module: Checking authenticate {...} for more modules to
> load
> Module: Checking authorize {...} for more modules to
> load
> Module: Linked to module
> rlm_preprocess
> Module: Instantiating
> preprocess
> preprocess
> {
>
> huntgroups =
> "/etc/raddb/huntgroups"
> hints =
> "/etc/raddb/hints"
> with_ascend_hack =
> no
> ascend_channels_per_line =
> 23
> with_ntdomain_hack =
> no
> with_specialix_jetstream_hack =
> no
> with_cisco_vsa_hack =
> no
> with_alvarion_vsa_hack =
> no
>
> }
>
> Module: Checking preacct {...} for more modules to
> load
> Module: Linked to module
> rlm_acct_unique
> Module: Instantiating acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> Mod
Re: Authentication Failed
Hi Ivan,
I cant seem to authenticate my Windows XP client using EAP authentication. I
have folllowed the steps in /etc/raddb/certs
This is my radius start up
Module: Instantiating
eap-tls
tls
{
rsa_key_exchange =
no
dh_key_exchange =
yes
rsa_key_length =
512
dh_key_length =
512
verify_depth =
0
pem_file_type =
yes
private_key_file =
"/etc/raddb/certs/server.pem"
certificate_file =
"/etc/raddb/certs/server.pem"
CA_file =
"/etc/raddb/certs/ca.pem"
private_key_password =
"myettelap"
dh_file =
"/etc/raddb/certs/dh"
random_file =
"/etc/raddb/certs/random"
fragment_size =
1024
include_length =
yes
check_crl =
no
cipher_list =
"DEFAULT"
make_cert_command =
"/etc/raddb/certs/bootstrap"
cache
{
enable =
no
lifetime =
24
max_entries =
255
}
}
Module: Linked to sub-module
rlm_eap_ttls
Module: Instantiating
eap-ttls
ttls
{
default_eap_type =
"md5"
copy_request_to_tunnel =
no
use_tunneled_reply =
no
virtual_server =
"inner-tunnel"
}
Module: Linked to sub-module
rlm_eap_peap
Module: Instantiating
eap-peap
peap
{
default_eap_type =
"mschapv2"
copy_request_to_tunnel =
no
use_tunneled_reply =
no
proxy_tunneled_request_as_eap =
yes
virtual_server =
"inner-tunnel"
}
Module: Linked to sub-module
rlm_eap_mschapv2
Module: Instantiating
eap-mschapv2
mschapv2
{
with_ntdomain_hack =
no
}
Module: Checking authorize {...} for more modules to
load
Module: Linked to module
rlm_realm
Module: Instantiating
suffix
realm suffix
{
format =
"suffix"
delimiter =
"@"
ignore_default =
no
ignore_null =
no
}
Module: Linked to module
rlm_files
Module: Instantiating
files
files
{
usersfile =
"/etc/raddb/users"
acctusersfile =
"/etc/raddb/acct_users"
preproxy_usersfile =
"/etc/raddb/preproxy_users"
compat =
"no"
}
Module: Checking session {...} for more modules to
load
Module: Linked to module
rlm_radutmp
Module: Instantiating
radutmp
radutmp
{
filename =
"/var/log/radius/radutmp"
username =
"%{User-Name}"
case_sensitive =
yes
check_with_nas =
yes
perm =
384
callerid =
yes
}
Module: Checking post-proxy {...} for more modules to
load
Module: Checking post-auth {...} for more modules to
load
Module: Linked to module
rlm_attr_filter
Module: Instantiating
attr_filter.access_reject
attr_filter attr_filter.access_reject
{
attrsfile =
"/etc/raddb/attrs.access_reject"
key =
"%{User-Name}"
}
}
}
modules
{
Module: Checking authenticate {...} for more modules to
load
Module: Checking authorize {...} for more modules to
load
Module: Linked to module
rlm_preprocess
Module: Instantiating
preprocess
preprocess
{
huntgroups =
"/etc/raddb/huntgroups"
hints =
"/etc/raddb/hints"
with_ascend_hack =
no
ascend_channels_per_line =
23
with_ntdomain_hack =
no
with_specialix_jetstream_hack =
no
with_cisco_vsa_hack =
no
with_alvarion_vsa_hack =
no
}
Module: Checking preacct {...} for more modules to
load
Module: Linked to module
rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
^[[6~^[[6~
2010/1/20 Devinder Singh
> Hi Ivan,
>
> I created the certificates basd on the README file in etc/raddb and copied
> ca.der and client.p12 to Windows XP
>
> I also also made changed to the Makefile which runs on XP but when i
> connect to the SSID i get authentication failde and the radius does not seem
> to get any response from the Proxim AP.
>
>
>
> --
> Devinder
>
--
Devinder
-
List info/subscribe/unsubscribe? See http:/
Authentication Failed
Hi Ivan, I created the certificates basd on the README file in etc/raddb and copied ca.der and client.p12 to Windows XP I also also made changed to the Makefile which runs on XP but when i connect to the SSID i get authentication failde and the radius does not seem to get any response from the Proxim AP. -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failed because sqlcounter...
the problem solved it just because 30 second less than one minute, i've tried using Max-All-Sesion:=3600 and it works.. --- On Sat, 5/9/09, Nizar Zulmi wrote: From: Nizar Zulmi Subject: Re: authentication failed because sqlcounter... To: t...@kalik.net, "FreeRadius users mailing list" Date: Saturday, May 9, 2009, 2:03 PM i am using freeradius 1.1.7, not that old rite??? i've tried using := operator and cleartext-password but still doesn't work..this bellow is my radcheck table.. ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | | 7 | denizaro | Cleartext-Password | := | 123456 | | 8 | denizaro | Max-All-Session | := | 30 | ++--++++ 6 rows in set (0.00 sec) i try to log in with user denizaro first time before i add attribute max-all-session its succesfully logged in, but after i adding max-all-session attribut its failed.. whats happen?? --- On Sat, 5/9/09, Ivan Kalik wrote: From: Ivan Kalik Subject: Re: authentication failed because sqlcounter... To: "FreeRadius users mailing list" Date: Saturday, May 9, 2009, 2:51 AM > mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it > as default no change i made in noresetcounter module. then i adding > noresetcounter in authorize and instantiate section. > i have defined 1user named tes and password tes has loged in normally > before i add attribut max-all-session in the table radcheck just like > this. > ++--+-+++ > | id | UserName | Attribute | op | Value | > ++--+-+++ > | 1 | nizar | Password | == | nizar | > | 2 | nizar1 | Password | == | nizar1 | > | 6 | tes | Max-All-Session | == | 90 | > | 4 | tes | Password | == | tes | > ++--+-+++ > after i adding the attribut max-all-session the user tes cannot login > anymore. i do running freeradius in debug mode and the following si the > result.. := not ==. And that password attribute Password is deprecated for many years. How old is your freeradius version? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Inline Attachment Follows- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failed because sqlcounter...
i am using freeradius 1.1.7, not that old rite??? i've tried using := operator and cleartext-password but still doesn't work..this bellow is my radcheck table.. ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | | 7 | denizaro | Cleartext-Password | := | 123456 | | 8 | denizaro | Max-All-Session | := | 30 | ++--++++ 6 rows in set (0.00 sec) i try to log in with user denizaro first time before i add attribute max-all-session its succesfully logged in, but after i adding max-all-session attribut its failed.. whats happen?? --- On Sat, 5/9/09, Ivan Kalik wrote: From: Ivan Kalik Subject: Re: authentication failed because sqlcounter... To: "FreeRadius users mailing list" Date: Saturday, May 9, 2009, 2:51 AM > mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it > as default no change i made in noresetcounter module. then i adding > noresetcounter in authorize and instantiate section. > i have defined 1user named tes and password tes has loged in normally > before i add attribut max-all-session in the table radcheck just like > this. > ++--+-+++ > | id | UserName | Attribute | op | Value | > ++--+-+++ > | 1 | nizar | Password | == | nizar | > | 2 | nizar1 | Password | == | nizar1 | > | 6 | tes | Max-All-Session | == | 90 | > | 4 | tes | Password | == | tes | > ++--+-+++ > after i adding the attribut max-all-session the user tes cannot login > anymore. i do running freeradius in debug mode and the following si the > result.. := not ==. And that password attribute Password is deprecated for many years. How old is your freeradius version? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failed because sqlcounter...
i am using freeradius 1.1.7, not that old rite??? i've tried using := operator and cleartext-password but still doesn't work..this bellow is my radcheck table.. ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | | 7 | denizaro | Cleartext-Password | := | 123456 | | 8 | denizaro | Max-All-Session | := | 30 | ++--++++ 6 rows in set (0.00 sec) i try to log in with user denizaro first time before i add attribute max-all-session its succesfully logged in, but after i adding max-all-session attribut its failed.. whats happen?? --- On Sat, 5/9/09, Ivan Kalik wrote: From: Ivan Kalik Subject: Re: authentication failed because sqlcounter... To: "FreeRadius users mailing list" Date: Saturday, May 9, 2009, 2:51 AM > mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it > as default no change i made in noresetcounter module. then i adding > noresetcounter in authorize and instantiate section. > i have defined 1user named tes and password tes has loged in normally > before i add attribut max-all-session in the table radcheck just like > this. > ++--+-+++ > | id | UserName | Attribute | op | Value | > ++--+-+++ > | 1 | nizar | Password | == | nizar | > | 2 | nizar1 | Password | == | nizar1 | > | 6 | tes | Max-All-Session | == | 90 | > | 4 | tes | Password | == | tes | > ++--+-+++ > after i adding the attribut max-all-session the user tes cannot login > anymore. i do running freeradius in debug mode and the following si the > result.. := not ==. And that password attribute Password is deprecated for many years. How old is your freeradius version? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failed because sqlcounter...
> mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it > as default no change i made in noresetcounter module. then i adding > noresetcounter in authorize and instantiate section. > i have defined 1user named tes and password tes has loged in normally > before i add attribut max-all-session in the table radcheck just like > this. > ++--+-+++ > | id | UserName | Attribute | op | Value | > ++--+-+++ > | 1 | nizar | Password | == | nizar | > | 2 | nizar1 | Password | == | nizar1 | > | 6 | tes | Max-All-Session | == | 90 | > | 4 | tes | Password | == | tes | > ++--+-+++ > after i adding the attribut max-all-session the user tes cannot login > anymore. i do running freeradius in debug mode and the following si the > result.. := not ==. And that password attribute Password is deprecated for many years. How old is your freeradius version? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication failed because sqlcounter...
mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it as default no change i made in noresetcounter module. then i adding noresetcounter in authorize and instantiate section. i have defined 1user named tes and password tes has loged in normally before i add attribut max-all-session in the table radcheck just like this. ++--+-+++ | id | UserName | Attribute | op | Value | ++--+-+++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | ++--+-+++ after i adding the attribut max-all-session the user tes cannot login anymore. i do running freeradius in debug mode and the following si the result.. somebody help me please... freeradius debug result=== rad_recv: Access-Request packet from host 192.168.0.1:56614, id=0, length=194 User-Name = "tes" User-Password = "tes" NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.3 Calling-Station-Id = "00-1E-68-23-E9-C8" Called-Station-Id = "00-00-E2-78-FF-39" NAS-Identifier = "nas01" Acct-Session-Id = "4a048168" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x1c3a148590ef0762aed6069cc9ac0715 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "tes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 radius_xlat: 'tes' rlm_sql (sql): sql_set_user escaped user --> 'tes' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tes' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tes' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): No matching entry in the database for request from user [tes] modcall[authorize]: module "sql" returns notfound for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.0.1:56614, id=0, length=194 Sending Access-Reject of id 0 to 192.168.0.1 port 56614 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 4a048180 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication failed because sqlcounter...
mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it as default no change i made in noresetcounter module. then i adding noresetcounter in authorize and instantiate section. i have defined 1user named tes and password tes has loged in normally before i add attribut max-all-session in the table radcheck just like this. ++--+-+++ | id | UserName | Attribute | op | Value | ++--+-+++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | ++--+-+++ after i adding the attribut max-all-session the user tes cannot login anymore. i do running freeradius in debug mode and the following si the result.. somebody help me please... freeradius debug result=== rad_recv: Access-Request packet from host 192.168.0.1:56614, id=0, length=194 User-Name = "tes" User-Password = "tes" NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.3 Calling-Station-Id = "00-1E-68-23-E9-C8" Called-Station-Id = "00-00-E2-78-FF-39" NAS-Identifier = "nas01" Acct-Session-Id = "4a048168" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x1c3a148590ef0762aed6069cc9ac0715 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "tes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 radius_xlat: 'tes' rlm_sql (sql): sql_set_user escaped user --> 'tes' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tes' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tes' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): No matching entry in the database for request from user [tes] modcall[authorize]: module "sql" returns notfound for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.0.1:56614, id=0, length=194 Sending Access-Reject of id 0 to 192.168.0.1 port 56614 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 4a048180 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication failed because sqlcounter...
mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it as default no change i made in noresetcounter module. then i adding noresetcounter in authorize and instantiate section. i have defined 1user named tes and password tes has loged in normally before i add attribut max-all-session in the table radcheck just like this. ++--+-+++ | id | UserName | Attribute | op | Value | ++--+-+++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | ++--+-+++ after i adding the attribut max-all-session the user tes cannot login anymore. i do running freeradius in debug mode and the following si the result.. somebody help me please... freeradius debug result=== rad_recv: Access-Request packet from host 192.168.0.1:56614, id=0, length=194 User-Name = "tes" User-Password = "tes" NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.3 Calling-Station-Id = "00-1E-68-23-E9-C8" Called-Station-Id = "00-00-E2-78-FF-39" NAS-Identifier = "nas01" Acct-Session-Id = "4a048168" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x1c3a148590ef0762aed6069cc9ac0715 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "tes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 radius_xlat: 'tes' rlm_sql (sql): sql_set_user escaped user --> 'tes' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tes' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tes' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): No matching entry in the database for request from user [tes] modcall[authorize]: module "sql" returns notfound for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.0.1:56614, id=0, length=194 Sending Access-Reject of id 0 to 192.168.0.1 port 56614 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 4a048180 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed from Radius server
Aravind Arjunan wrote: ... You already asked this question, and it was already answered. If you are not going to read the replies to your questions, then you shouldn't be asking questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication failed from Radius server
hi Radius(freeradius) server has configured and integrated with Openldap server for user authentication in RHEL 5. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility. When i try from enduser through Wireless access point i may not able to authenticate. Wireless access point is configured with WPA for security. >From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed. How to send the User-Password in clear text format.? Is there any way to decrypt the userpassword in RADIUS server which was coming from access point.? here is the radius debug level log rad_recv: Access-Request packet from host 192.168.1.100:1645, id=45, length=130 * User-Name = "sivaji"* Framed-MTU = 1400 Called-Station-Id = "0023.045c.3f20" Calling-Station-Id = "001f.3c78.503a" Service-Type = Login-User Message-Authenticator = 0xd56b1bff210c624ccf5b1d5c56285f10 EAP-Message = 0x0202000b01736976616a69 NAS-Port-Type = Wireless-802.11 NAS-Port = 542 NAS-Port-Id = "542" NAS-IP-Address = 192.168.1.100 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 *rlm_realm: No '@' in User-Name = "sivaji", looking up realm NULL* *rlm_realm: No such realm "NULL"* modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 157 * modcall[authorize]: module "files" returns ok for request 0* rlm_ldap: - authorize rlm_ldap: performing user authorization for sivaji *radius_xlat: '(uid=sivaji)'* *radius_xlat: 'dc=rgipt,dc=in'* rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 *rlm_ldap: bind as / to localhost:389* *rlm_ldap: waiting for bind result ...* *rlm_ldap: Bind was successful* *rlm_ldap: performing search in dc=rgipt,dc=in, with filter (uid=sivaji)* rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... *rlm_ldap: user sivaji authorized to use remote access* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 *rlm_ldap: - authenticate* *rlm_ldap: Attribute "User-Password" is required for authentication.* * * * modcall[authenticate]: module "ldap" returns invalid for request 0* *modcall: leaving group LDAP (returns invalid) for request 0* *auth: Failed to validate the user.* *Login incorrect: [sivaji] (from client AP port 542 cli 001f.3c78.503a)* *Delaying request 0 for 1 seconds* *Finished request 0* Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.1.100 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 4960b0d2 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed from Radius server
Aravind Arjunan wrote: > Radius(freeradius) server has configured and integrated with Openldap > server for user authentication in RHEL 5. > Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I > got Access-Acept by using this utility. Yes. Because they're not doing EAP. They're doing clear-text passwords. > From the radius debug level log and slapd log i can able to see that it > can able to fetch username and it was successful but in the case of > userPassword authetication was getting failed. You want to fetch the *password* from LDAP. Repeat after me: LDAP is a database. LDAP is not an authentication server. > How to send the User-Password in clear text format.? You don't. Wireless access points don't work that way. > Is there any way to decrypt the userpassword in RADIUS server which was > coming from access point.? No. > here is the radius debug level log ... > Processing the authorize section of radiusd.conf You are running a very old version of the server. You should really upgrade. > users: Matched entry DEFAULT at line 157 Which sets Auth-Type := LDAP. This breaks EAP. > *rlm_ldap: - authenticate* > *rlm_ldap: Attribute "User-Password" is required for authentication.* Your LDAP database doesn't do EAP. This is because it's a database. (1) Do NOT set Auth-Type := LDAP (2) Test it with clear-text passwords. If that works, (3) EAP will work, too. And you should upgrade to 2.1.3. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication failed from Radius server
Radius(freeradius) server has configured and integrated with Openldap server for user authentication in RHEL 5. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility. When i try from enduser through Wireless access point i may not able to authenticate. Wireless access point is configured with WPA for security. >From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed. How to send the User-Password in clear text format.? Is there any way to decrypt the userpassword in RADIUS server which was coming from access point.? here is the radius debug level log rad_recv: Access-Request packet from host 192.168.1.100:1645, id=45, length=130 * User-Name = "sivaji"* Framed-MTU = 1400 Called-Station-Id = "0023.045c.3f20" Calling-Station-Id = "001f.3c78.503a" Service-Type = Login-User Message-Authenticator = 0xd56b1bff210c624ccf5b1d5c56285f10 EAP-Message = 0x0202000b01736976616a69 NAS-Port-Type = Wireless-802.11 NAS-Port = 542 NAS-Port-Id = "542" NAS-IP-Address = 192.168.1.100 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 *rlm_realm: No '@' in User-Name = "sivaji", looking up realm NULL* *rlm_realm: No such realm "NULL"* modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 157 * modcall[authorize]: module "files" returns ok for request 0* rlm_ldap: - authorize rlm_ldap: performing user authorization for sivaji *radius_xlat: '(uid=sivaji)'* *radius_xlat: 'dc=rgipt,dc=in'* rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 *rlm_ldap: bind as / to localhost:389* *rlm_ldap: waiting for bind result ...* *rlm_ldap: Bind was successful* *rlm_ldap: performing search in dc=rgipt,dc=in, with filter (uid=sivaji)* rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... *rlm_ldap: user sivaji authorized to use remote access* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 *rlm_ldap: - authenticate* *rlm_ldap: Attribute "User-Password" is required for authentication.* * * * modcall[authenticate]: module "ldap" returns invalid for request 0* *modcall: leaving group LDAP (returns invalid) for request 0* *auth: Failed to validate the user.* *Login incorrect: [sivaji] (from client AP port 542 cli 001f.3c78.503a)* *Delaying request 0 for 1 seconds* *Finished request 0* Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.1.100 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 4960b0d2 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 with mysql authentication failed
> EAP-MD5 doesn't use inner-tunnel. Enable sql in default virtual server. > Ivan Kalik > Kalik Informatika ISP The problem has resolved by your way. Thank your ver much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 with mysql authentication failed
>IN sites-enabled/inner-tunnel
>--
>authorize {
>eap {
>ok = return
>}
>files
>sql
>expiration
>logintime
>}
>
>authenticate {
>eap
>}
>
EAP-MD5 doesn't use inner-tunnel. Enable sql in default virtual server.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 with mysql authentication failed
hi, dont set the default auth-type for users alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 with mysql authentication failed
EAP/MD5 with mysql authentication failed
My running environment is freeraius-2.1.3 and mysql-5.0.37.
The authentication type is EAP/MD5. It's running well with individual 'user'
file, however, If I enable the sql optioal, it rejects with '[eap]
Handler failed in EAP/md5'. The mysql module was loaded success and could
connected with my database.
It could authorized in freeradius-1.0.5 and freeradius-1.1.7 with mysql, but
failed in freeradius-2.1.3.
I paste my mainly configuration file and debug information below.
Thanks for your help!
IN radius.conf
--
$INCLUDE sql.conf
IN sql.conf
--
server = "localhost"
port = 3306
login = "radius"
password = "radius"
IN sites-enabled/inner-tunnel
--
authorize {
eap {
ok = return
}
files
sql
expiration
logintime
}
authenticate {
eap
}
IN eap.conf
--
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
max_sessions = 2048
md5 {
}
}
IN user
--
DEFAULT Auth-Type := EAP
Fall-Through = 1
IN radcheck table
--
mysql> select * from radcheck;
++--+++---+
| id | username | attribute | op | value |
++--+++---+
| 1 | test | Cleartext-Password | := | test |
IN radreply table
--
mysql> select * from radreply;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 1 | test | Framed-IP-Address | := | 192.168.1.55 |
DEBUG information
--
---Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.7 port 1024, id=0,
length=142
User-Name = "test"
NAS-IP-Address = 192.168.1.7
NAS-Port = 0
Called-Station-Id = "00-0F-1E-51-00-04:"
Calling-Station-Id = "00-13-D7-20-00-90"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02090174657374
Message-Authenticator = 0xbfed0ae2dd3f0b2a36fe1a88cbd3569d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 144
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.7 port 1024
EAP-Message = 0x01010016041095e48ee00d7d5ecc1639d149c9aa7283
Message-Authenticator = 0x
State = 0x40ca4f4d40cb4b4734e42cbd94a7636b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.7 port 1024, id=1,
length=173
User-Name = "test"
NAS-IP-Address = 192.168.1.7
NAS-Port = 0
Called-Station-Id = "00-0F-1E-51-00-04:"
Calling-Station-Id = "00-13-D7-20-00-90"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100160410f34f8c1c140e4f4b3846e691a7aa2175
State = 0x40ca4f4d40cb4b4734e42cbd94a7636b
Message-Authenticator = 0xa9e8279e3d299800129cc25ad426acce
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 144
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is requir
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Good morning: Enterasys is the AP and the wireless card. Otherways, we have also tried with an integrated Intel Centrino card with the same result. About the supplicant, we tried with Windows Client and with one provided by Enterasys. In both of them we cannot connect correctly. Unfortunately, this point was into a project that should be finished yesterday (I'd like to have found this mailing list several days before) and we should to configure the system with preshared keys in order to left system running. Authentication with domain was finally not implemented. Today, we have not access to that system and cannot do anything more. The project's world! :( Otherways, we really appreciate all your help and advices. Thank you. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 16:24 Para: FreeRadius users mailing list Asunto: RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Lets get few things straight: Enterasys is your AP, not your wireless card? What supplicant are you using on your PC to connect: Windows XP supplicant, supplicant provided by the manufacturer of PC's wireless card or something else? Supplicant is the program you are using to make the wireless connection. What EAP type are you trying to use? You started with PEAP but in the last output your supplicant was trying to do TTLS of some sort. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hi: > >We have found that on PC, wireless card needs to introduce manually a username >and password, it doesn't takes the domain credentials automatically. >We have tried, just for probing, with a non valid user, in this case root and >the password for the freeradius server. This is why it appears "anonymous". >But we have not made more changes. >After this trying, we restarted the service and we found that with domain user >credentials didn't connect correctly the PC. >Could it be due a malfunctioning or an issue of the Enterasys wireless card >and/or AP? > >Thanks. > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] >Enviado el: jueves, 12 de julio de 2007 14:41 >Para: FreeRadius users mailing list >CC: Cristina Martin Molin >Asunto: Re: Authentication failed > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hi, > > >you are CHANING more than ONE thing at a time. look at this: > >> rlm_eap: Request found, released from the list >> rlm_eap: EAP NAK >> rlm_eap: EAP-NAK asked for EAP-Type/ttls >> rlm_eap: No such EAP type ttls >> rlm_eap: Failed in EAP select >> modcall[authenticate]: module "eap" returns invalid for request 7 >> modcall: group authenticate returns invalid for request 7 >> auth: Failed to validate the user. >> Login incorrect: [anonymous/] (from client >> 17224.230.15 port 1 cli 00118865b6e5) > >why is it now attempting TTLS authentication? why have you taken such >auth method out of the loop? ntlm_auth isnt being called AT ALL now. > >one change at a time! > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud de la >legislación vigente. >Si ha recibido este mensaje por error, le rogamos nos lo comunique >inmediatamente por esta misma via y proceda a su destrucción. > > >This message is intended exclusively for its addressee and may contain >information that is CONFIDENTIAL and protected by professional privilege. >If you are not the intende
RE: Authentication failed
Lets get few things straight: Enterasys is your AP, not your wireless card? What supplicant are you using on your PC to connect: Windows XP supplicant, supplicant provided by the manufacturer of PC's wireless card or something else? Supplicant is the program you are using to make the wireless connection. What EAP type are you trying to use? You started with PEAP but in the last output your supplicant was trying to do TTLS of some sort. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hi: > >We have found that on PC, wireless card needs to introduce manually a username >and password, it doesn't takes the domain credentials automatically. >We have tried, just for probing, with a non valid user, in this case root and >the password for the freeradius server. This is why it appears "anonymous". >But we have not made more changes. >After this trying, we restarted the service and we found that with domain user >credentials didn't connect correctly the PC. >Could it be due a malfunctioning or an issue of the Enterasys wireless card >and/or AP? > >Thanks. > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] >Enviado el: jueves, 12 de julio de 2007 14:41 >Para: FreeRadius users mailing list >CC: Cristina Martin Molin >Asunto: Re: Authentication failed > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hi, > > >you are CHANING more than ONE thing at a time. look at this: > >> rlm_eap: Request found, released from the list >> rlm_eap: EAP NAK >> rlm_eap: EAP-NAK asked for EAP-Type/ttls >> rlm_eap: No such EAP type ttls >> rlm_eap: Failed in EAP select >> modcall[authenticate]: module "eap" returns invalid for request 7 >> modcall: group authenticate returns invalid for request 7 >> auth: Failed to validate the user. >> Login incorrect: [anonymous/] (from client >> 17224.230.15 port 1 cli 00118865b6e5) > >why is it now attempting TTLS authentication? why have you taken such >auth method out of the loop? ntlm_auth isnt being called AT ALL now. > >one change at a time! > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud de la >legislación vigente. >Si ha recibido este mensaje por error, le rogamos nos lo comunique >inmediatamente por esta misma via y proceda a su destrucción. > > >This message is intended exclusively for its addressee and may contain >information that is CONFIDENTIAL and protected by professional privilege. >If you are not the intended recipient you are hereby notified that any >dissemination, copy or disclosure of this communication is strictly >prohibited by law. If this message has been received in error, please >immediately notify us via e-mail and delete it. >___ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Authentication failed
domain user credentials read the config comments carefully and the howtos on the wiki and can fix it. == Benjamin K. Eshun - Message d'origine De : Carlos Jimenez Barranco <[EMAIL PROTECTED]> À : FreeRadius users mailing list Cc : Cristina Martin Molin <[EMAIL PROTECTED]> Envoyé le : Jeudi, 12 Juillet 2007, 14h53mn 59s Objet : RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi: We have found that on PC, wireless card needs to introduce manually a username and password, it doesn't takes the domain credentials automatically. We have tried, just for probing, with a non valid user, in this case root and the password for the freeradius server. This is why it appears "anonymous". But we have not made more changes. After this trying, we restarted the service and we found that with domain user credentials didn't connect correctly the PC. Could it be due a malfunctioning or an issue of the Enterasys wireless card and/or AP? Thanks. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 14:41 Para: FreeRadius users mailing list CC: Cristina Martin Molin Asunto: Re: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi, you are CHANING more than ONE thing at a time. look at this: > rlm_eap: Request found, released from the list > rlm_eap: EAP NAK > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: group authenticate returns invalid for request 7 > auth: Failed to validate the user. > Login incorrect: [anonymous/] (from client > 172.24.230.15 port 1 cli 00118865b6e5) why is it now attempting TTLS authentication? why have you taken such auth method out of the loop? ntlm_auth isnt being called AT ALL now. one change at a time! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi: We have found that on PC, wireless card needs to introduce manually a username and password, it doesn't takes the domain credentials automatically. We have tried, just for probing, with a non valid user, in this case root and the password for the freeradius server. This is why it appears "anonymous". But we have not made more changes. After this trying, we restarted the service and we found that with domain user credentials didn't connect correctly the PC. Could it be due a malfunctioning or an issue of the Enterasys wireless card and/or AP? Thanks. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 14:41 Para: FreeRadius users mailing list CC: Cristina Martin Molin Asunto: Re: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi, you are CHANING more than ONE thing at a time. look at this: > rlm_eap: Request found, released from the list > rlm_eap: EAP NAK > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: group authenticate returns invalid for request 7 > auth: Failed to validate the user. > Login incorrect: [anonymous/] (from client > 172.24.230.15 port 1 cli 00118865b6e5) why is it now attempting TTLS authentication? why have you taken such auth method out of the loop? ntlm_auth isnt being called AT ALL now. one change at a time! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed
Hi, you are CHANING more than ONE thing at a time. look at this: > rlm_eap: Request found, released from the list > rlm_eap: EAP NAK > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: group authenticate returns invalid for request 7 > auth: Failed to validate the user. > Login incorrect: [anonymous/] (from client > 172.24.230.15 port 1 cli 00118865b6e5) why is it now attempting TTLS authentication? why have you taken such auth method out of the loop? ntlm_auth isnt being called AT ALL now. one change at a time! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***
Hello, Stefan:
Thank you for your help.
You are in reason: I need a good book of Unix command-line tools. :)
For the moment, I left all in just one line.
Carlos Jimenez Barranco
- Área de Postventa
Telf. +34 933034139
www.impala-net.com
Sistemas de Comunicaciones Corporativas
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 14:00
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed
> We have entered this data in radiusd.conf:
>
> # Be VERY careful when editing the following line!
> #
> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-Domain}
> --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
> Maybe, the "intro" after every line is not correct, so we have changed it
> for:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
> And the problem continues.
Well, this is "UNIX 101": if you want a command to continue over multiple
lines, you have to put a \ (Backslash) at the end of the lines. The spaces
themselves are perfectly fine. Something like
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key \
--domain=%{mschap:NT-Domain} \
--username=%{mschap:User-Name} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"
should work a lot better. Go buy a book about UNIX command-line tools ;-)
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
___
Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***
Hello:
We have restarted the radius service.
This is the output of the debug:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = yes
main: max_request_time = 60
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files
Re: Authentication failed
> We have entered this data in radiusd.conf:
>
> # Be VERY careful when editing the following line!
> #
> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-Domain}
> --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
> Maybe, the "intro" after every line is not correct, so we have changed it
> for:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
> And the problem continues.
Well, this is "UNIX 101": if you want a command to continue over multiple
lines, you have to put a \ (Backslash) at the end of the lines. The spaces
themselves are perfectly fine. Something like
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key \
--domain=%{mschap:NT-Domain} \
--username=%{mschap:User-Name} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"
should work a lot better. Go buy a book about UNIX command-line tools ;-)
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed
Hi,
> Maybe, the "intro" after every line is not correct, so we have changed it for:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain}
> --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
did you restart the freeradius server? what does the output now say?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***
Hello, Stefan:
We have entered this data in radiusd.conf:
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain}
--username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Maybe, the "intro" after every line is not correct, so we have changed it for:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain}
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
And the problem continues.
Carlos Jimenez Barranco
- Área de Postventa
Telf. +34 933034139
www.impala-net.com
Sistemas de Comunicaciones Corporativas
-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 13:17
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed
Hi,
okay, now that the User-Name thing is fixed, another problem with your config
shows up. The ntlm_auth line is way too short! Therefore, the key can't be
retrieved.
Is there maybe a line wrap in radiusd.conf, line "ntlm_auth = ..." or
something? The shipped ntlm_auth line works by default! Yours is only
'/usr/bin/ntlm_auth --request-nt-key '
i.e. it's missing all the important parts!
Stefan
> modcall: entering group Auth-Type for request 8
> rlm_mschap: No User-Password configured. Cannot create LM-Password.
> rlm_mschap: No User-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for host/PC-BARCMM2.it.local with
> NT-Password radius_xlat: '/usr/bin/ntlm_auth --request-nt-key '
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key
> username must be specified!
>
> Usage: [OPTION...]
> --helper-protocol=helper protocol to use operate as a stdio-based
> helper --username=STRINGusername
> --domain=STRING domain name
> --workstation=STRING workstation
> --challenge=STRING challenge (HEX encoded)
> --lm-response=STRING LM Response to the challenge
>(HEX encoded)
> --nt-response=STRING NT or NTLMv2 Response to the
>challenge (HEX encoded)
> --password=STRINGUser's plaintext password
> --request-lm-key Retreive LM session key
> --request-nt-key Retreive User (NT) session
> key --diagnosticsPerform diagnostics on the
> authentictaion chain --require-membership-of=STRING Require
> that a user be a member of this group (either name or SID) for
> authentication to succeed
>
> Help options
> -?, --help Show this help message
> --usage Display brief usage message
>
> Common samba options:
> -d, --debuglevel=DEBUGLEVEL Set debug level
> -s, --configfile=CONFIGFILE Use alternative
> configuration file
> -l, --log-basename=LOGFILEBASE Basename for log/debug files
> -V, --versionPrint version
> Exec-Program output:
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
___
Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda
Re: Authentication failed
Hi, err, hello. have a look at your debug logs. > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/PC-BARCMM2.it.local with > NT-Password > radius_xlat: '/usr/bin/ntlm_auth --request-nt-key ' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key > username must be specified! ^ how are you calling ntlm_auth in your radiusd.conf ? - looks like you're not passing the User-Name, realm OR challenge (!) that fact that ntlm_auth spews out its options at you is very telling. folk, scan through your debug outputfor PEAP (and some others) it may seem that the EAP bit is just being continuously called - thats somewhat true as it passes through about 6 times whilst setting up the inner stuff. go through those 6 or so times and then the good juicy stuff appears. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed
Hi, okay, now that the User-Name thing is fixed, another problem with your config shows up. The ntlm_auth line is way too short! Therefore, the key can't be retrieved. Is there maybe a line wrap in radiusd.conf, line "ntlm_auth = ..." or something? The shipped ntlm_auth line works by default! Yours is only '/usr/bin/ntlm_auth --request-nt-key ' i.e. it's missing all the important parts! Stefan > modcall: entering group Auth-Type for request 8 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/PC-BARCMM2.it.local with > NT-Password radius_xlat: '/usr/bin/ntlm_auth --request-nt-key ' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key > username must be specified! > > Usage: [OPTION...] > --helper-protocol=helper protocol to use operate as a stdio-based > helper --username=STRINGusername > --domain=STRING domain name > --workstation=STRING workstation > --challenge=STRING challenge (HEX encoded) > --lm-response=STRING LM Response to the challenge >(HEX encoded) > --nt-response=STRING NT or NTLMv2 Response to the >challenge (HEX encoded) > --password=STRINGUser's plaintext password > --request-lm-key Retreive LM session key > --request-nt-key Retreive User (NT) session > key --diagnosticsPerform diagnostics on the > authentictaion chain --require-membership-of=STRING Require > that a user be a member of this group (either name or SID) for > authentication to succeed > > Help options > -?, --help Show this help message > --usage Display brief usage message > > Common samba options: > -d, --debuglevel=DEBUGLEVEL Set debug level > -s, --configfile=CONFIGFILE Use alternative > configuration file > -l, --log-basename=LOGFILEBASE Basename for log/debug files > -V, --versionPrint version > Exec-Program output: > Exec-Program: returned: 1 > rlm_mschap: External script failed. -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello again: We have found that when we configure supplicant as OPEN authentication method, it Works right, but not when we configure it as WPA (authenticating versus Active Directory with freeradius). In this second case, it seems that connection establishes but immediately, it disconnects. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 12:41 Para: FreeRadius users mailing list Asunto: RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** What EAP method are you using? PEAP? Can you post the radiusd -X output. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hello, Stefan: > >As you told us, the supplicant was sending an empty username. We had to >introduce manually the username and password because wireless card was not >taking correctly domain login values and using an empty value. >The most recent log is: > >Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/attribute>] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: >Login incorrect: [barcmm2/] (from client >172..24.230.15 port 1 cli 00118865b6e5) > > >Thank you, > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter >Enviado el: jueves, 12 de julio de 2007 10:51 >Para: FreeRadius users mailing list >Asunto: Re: Authentication failed > >Hi, > >> About the supplicant, we are using just Windows XP. We have tried with >> several wireless card (enterasys one, integrated Intel Centrino >> 2200b/g...). I have may not understood the supplicant meaning, tell me >> then, please. I thought it could be a problem related to the way the >> freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). > >FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your >NAS is sending an *empty* username. As far as I can tell, your problem does >not lie on the server side, but on the client side. > >Stefan > >-- >Stefan WINTER > >Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de >la Recherche >Ingenieur Forschung & Entwicklung > >6, rue Richard Coudenhove-Kalergi >L-1359 Luxembourg >E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 >http://www.restena.lu Fax: +352 422473 > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud de la >legislación vigente. >Si ha recibido este mensaje por error, le rogamos nos lo comunique >inmediatamente por esta misma via y proceda a su destrucción. > > >This message is intended exclusively for its addressee and may contain >information that is CONFIDENTIAL and protected by professional privilege. >If you are not the intended recipient you are hereby notified that any >dissemination, copy or disclosure of this communication is strictly >prohibited by law. If this message has been received in error, please >immediately notify us via e-mail and delete it. >___ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique i
RE: Authentication failed
rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [host/PC-BARCMM2.it.local/] (from client 172.24.230.15 port 1 cli 000e359071d6) Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 172.24.230.15:1279 EAP-Message = 0x04080004 Message-Authenticator = 0x Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 116 with timestamp 4695fe85 Cleaning up request 3 ID 117 with timestamp 4695fe85 Cleaning up request 4 ID 118 with timestamp 4695fe85 Cleaning up request 5 ID 119 with timestamp 4695fe85 Cleaning up request 6 ID 120 with timestamp 4695fe85 Cleaning up request 7 ID 121 with timestamp 4695fe85 Cleaning up request 8 ID 122 with timestamp 4695fe85 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 123 with timestamp 4695fe86 Nothing to do. Sleeping until we see a request. Thank you, Ivan Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 12:41 Para: FreeRadius users mailing list Asunto: RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** What EAP method are you using? PEAP? Can you post the radiusd -X output. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hello, Stefan: > >As you told us, the supplicant was sending an empty username. We had to >introduce manually the username and password because wireless card was not >taking correctly domain login values and using an empty value. >The most recent log is: > >Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/attribute>] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: >Login incorrect: [barcmm2/] (from client >172..24.230.15 port 1 cli 00118865b6e5) > > >Thank you, > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter >Enviado el: jueves, 12 de julio de 2007 10:51 >Para: FreeRadius users mailing list >Asunto: Re: Authentication failed > >Hi, > >> About the supplicant, we are using just Windows XP. We have tried with >> several wireless card (enterasys one, integrated Intel Centrino >> 2200b/g...). I have may not understood the supplicant meaning, tell me >> then, please. I thought it could be a problem related to the way the >> freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). > >FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your >NAS is sending an *empty* username. As far as I can tell, your problem does >not lie on the server side, but on the client side. > >Stefan > >-- >Stefan WINTER > >Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de >la Recherche >Ingenieur Forschung & Entwicklung > >6, rue Richard Coudenhove-Kalergi >L-1359 Luxembourg >E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 >http://www.restena.lu Fax: +352 422473 > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud d
RE: Authentication failed
What EAP method are you using? PEAP? Can you post the radiusd -X output. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hello, Stefan: > >As you told us, the supplicant was sending an empty username. We had to >introduce manually the username and password because wireless card was not >taking correctly domain login values and using an empty value. >The most recent log is: > >Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/attribute>] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: >Login incorrect: [barcmm2/] (from client >172..24.230.15 port 1 cli 00118865b6e5) > > >Thank you, > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter >Enviado el: jueves, 12 de julio de 2007 10:51 >Para: FreeRadius users mailing list >Asunto: Re: Authentication failed > >Hi, > >> About the supplicant, we are using just Windows XP. We have tried with >> several wireless card (enterasys one, integrated Intel Centrino >> 2200b/g...). I have may not understood the supplicant meaning, tell me >> then, please. I thought it could be a problem related to the way the >> freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). > >FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your >NAS is sending an *empty* username. As far as I can tell, your problem does >not lie on the server side, but on the client side. > >Stefan > >-- >Stefan WINTER > >Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de >la Recherche >Ingenieur Forschung & Entwicklung > >6, rue Richard Coudenhove-Kalergi >L-1359 Luxembourg >E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 >http://www.restena.lu Fax: +352 422473 > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud de la >legislación vigente. >Si ha recibido este mensaje por error, le rogamos nos lo comunique >inmediatamente por esta misma via y proceda a su destrucción. > > >This message is intended exclusively for its addressee and may contain >information that is CONFIDENTIAL and protected by professional privilege. >If you are not the intended recipient you are hereby notified that any >dissemination, copy or disclosure of this communication is strictly >prohibited by law. If this message has been received in error, please >immediately notify us via e-mail and delete it. >___ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello, Stefan: As you told us, the supplicant was sending an empty username. We had to introduce manually the username and password because wireless card was not taking correctly domain login values and using an empty value. The most recent log is: Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/] (from client 172.24.230.15 port 1 cli 00118865b6e5) Thank you, Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 10:51 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, > About the supplicant, we are using just Windows XP. We have tried with > several wireless card (enterasys one, integrated Intel Centrino > 2200b/g...). I have may not understood the supplicant meaning, tell me > then, please. I thought it could be a problem related to the way the > freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your NAS is sending an *empty* username. As far as I can tell, your problem does not lie on the server side, but on the client side. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi: Thank you, Stefan. We are going to revise the client configuration. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 10:51 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, > About the supplicant, we are using just Windows XP. We have tried with > several wireless card (enterasys one, integrated Intel Centrino > 2200b/g...). I have may not understood the supplicant meaning, tell me > then, please. I thought it could be a problem related to the way the > freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your NAS is sending an *empty* username. As far as I can tell, your problem does not lie on the server side, but on the client side. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed
Hi, > About the supplicant, we are using just Windows XP. We have tried with > several wireless card (enterasys one, integrated Intel Centrino > 2200b/g...). I have may not understood the supplicant meaning, tell me > then, please. I thought it could be a problem related to the way the > freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your NAS is sending an *empty* username. As far as I can tell, your problem does not lie on the server side, but on the client side. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello, Stefan: About the supplicant, we are using just Windows XP. We have tried with several wireless card (enterasys one, integrated Intel Centrino 2200b/g...). I have may not understood the supplicant meaning, tell me then, please. I thought it could be a problem related to the way the freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). Thank you, Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 10:15 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, > Thank you for your quick answer Stefan. Just one more question: Who is the > supplicant? The AP or the PC client? On the PC Client (WinXP) we have > always entered a login and password. The supplicant is the PC client. That's odd. If you really have entered a username on the supplicant, the NAS *MUST* put that into the RADIUS packet. So there's two possibilities: - the supplicant software on the PC has a bug and doesn't actually send it even though you have entered it (which supplicant are you using?) - the NAS (AP) is flawed. Unfortunately I have no experience with Enterasys. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed
Hi, > Thank you for your quick answer Stefan. Just one more question: Who is the > supplicant? The AP or the PC client? On the PC Client (WinXP) we have > always entered a login and password. The supplicant is the PC client. That's odd. If you really have entered a username on the supplicant, the NAS *MUST* put that into the RADIUS packet. So there's two possibilities: - the supplicant software on the PC has a bug and doesn't actually send it even though you have entered it (which supplicant are you using?) - the NAS (AP) is flawed. Unfortunately I have no experience with Enterasys. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Good morning: Thank you for your quick answer Stefan. Just one more question: Who is the supplicant? The AP or the PC client? On the PC Client (WinXP) we have always entered a login and password. With kind regards, Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 9:52 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hello, > rad_recv: Access-Request packet from host 172.24.230.15:3324, id=10, > length=113 NAS-IP-Address = 172.24.230.15 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 1 > Framed-MTU = 1400 > User-Name = "" > Calling-Station-Id = "00118865b6e5" > Called-Station-Id = "0011885ae5b0" > NAS-Identifier = "RoamAbout AP" > EAP-Message = 0x0201000501 > Message-Authenticator = 0xf6e4825749e3bc4b04a99bc11c37fbba [...] > modcall: entering group authenticate for request 4 > rlm_eap: UserIdentity Unknown > rlm_eap: Identity Unknown, authentication failed > rlm_eap: Failed in handler > modcall[authenticate]: module "eap" returns invalid for request 4 > modcall: group authenticate returns invalid for request 4 > auth: Failed to validate the user. Your NAS is sending an empty User-Name. That's fatal, because then the FreeRADIUS server has no clue which user it should authenticate. Check the settings on your supplicant - enter a user name. > Is it necessarily to attach the system message log? > Tell me if you need more info. Most of the times, radiusd -X is sufficient. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed
Hello, > rad_recv: Access-Request packet from host 172.24.230.15:3324, id=10, > length=113 NAS-IP-Address = 172.24.230.15 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 1 > Framed-MTU = 1400 > User-Name = "" > Calling-Station-Id = "00118865b6e5" > Called-Station-Id = "0011885ae5b0" > NAS-Identifier = "RoamAbout AP" > EAP-Message = 0x0201000501 > Message-Authenticator = 0xf6e4825749e3bc4b04a99bc11c37fbba [...] > modcall: entering group authenticate for request 4 > rlm_eap: UserIdentity Unknown > rlm_eap: Identity Unknown, authentication failed > rlm_eap: Failed in handler > modcall[authenticate]: module "eap" returns invalid for request 4 > modcall: group authenticate returns invalid for request 4 > auth: Failed to validate the user. Your NAS is sending an empty User-Name. That's fatal, because then the FreeRADIUS server has no clue which user it should authenticate. Check the settings on your supplicant - enter a user name. > Is it necessarily to attach the system message log? > Tell me if you need more info. Most of the times, radiusd -X is sufficient. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication failed
ed and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.230.15:3292, id=6, length=113
NAS-IP-Address = 172.24.230.15
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = ""
Calling-Station-Id = "00118865b6e5"
Called-Station-Id = "0011885ae5b0"
NAS-Identifier = "RoamAbout AP"
EAP-Message = 0x0201000501
Message-Authenticator = 0x7e0bca64564aa7a36a948978afd11855
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 5
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: UserIdentity Unknown
rlm_eap: Identity Unknown, authentication failed
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 6 to 172.24.230.15:3292
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 6 with timestamp 4694d142
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.24.230.15:3301, id=7, length=113
NAS-IP-Address = 172.24.230.15
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = ""
Calling-Station-Id = "00118865b6e5"
Called-Station-Id = "0011885ae5b0"
NAS-Identifier = "RoamAbout AP"
EAP-Message = 0x0201000501
Message-Authenticator = 0x16f2050b520d58294db57fea05923e73
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns
Re: re: users authentication failed
Post content of radcheck (and radgroupcheck if you are using groups) table. Auth-Type Local had to come from there. Ivan Kalik Kalik Informatika ISP Dana 26/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >hi > >now the authentication type is local with the message > >user supplied user-password does not match local user-password > >see attached file > >thanks > > >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: users authentication failed
hi now the authentication type is local with the message user supplied user-password does not match local user-password see attached file thanks -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA present radiusd -x Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
Well, what did you put in the database? This ($1$yR5YY9Uh$ubDooFItYSeNo7pkP0nyG1) is not the password you are sending (will). If you are storing encrypted passwords you need to use appropriate password attribute. Ivan Kalik Kalik Informatika ISP Dana 26/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >In the users file i commented the authtype=system for user:DEFAULT > >now the authentication is done through PAP but pap rejects user > >look the joint file > >No user can be authenticate whether in database or an account user. > > >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
In the users file i commented the authtype=system for user:DEFAULT now the authentication is done through PAP but pap rejects user look the joint file No user can be authenticate whether in database or an account user. -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA new radiusd -x Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
>users: Matched entry DEFAULT at line 153 There is a DEFAULT entry in your users file setting Auth-Type System. Comment it out and try again. Ivan Kalik Kalik Informatika ISP Dana 26/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >hi all >thanks for assistance i apreciate > >i put in attached the result of radiusd -X so as to make my problem really >understandable > >i used 2 users; carl pass: aniam and akim pass:willy > >carl failed to login and akim was successful > >Something new i discovered is that when i create user carl as a sytem >account he is accepted by the radius >so it seems my radius server checks it users elswhere than the database. >what can i do? >regards >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication failed
hi all thanks for assistance i apreciate i put in attached the result of radiusd -X so as to make my problem really understandable i used 2 users; carl pass: aniam and akim pass:willy carl failed to login and akim was successful Something new i discovered is that when i create user carl as a sytem account he is accepted by the radius so it seems my radius server checks it users elswhere than the database. what can i do? regards -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA radiusd -x Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
There is a DEFAULT entry in your users file setting Auth-Type System (and you are trying to use something else). Uncomment or delete that entry and try again. This is a blind guess. It would help if you would post debug from the request. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >I used numbers (123456) and it seems to work.seems?? > >when i use user:akim passwd:willy everything is allwright (redirection >authentication on radius and message response ok.) using browsing the net > >but when i try to use another user (carl passwd:aniam or all the several >users i created ) i have an access-reject message >with following result: > > modcall[authorize]: module "pap" returns noop for request 24 >modcall: leaving group authorize (returns ok) for request 24 > rad_check_password: Found Auth-Type System >auth: type "System" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 24 > modcall[authenticate]: module "unix" returns notfound for request 24 >modcall: leaving group authenticate (returns notfound) for request 24 >auth: Failed to validate the user. >Delaying request 24 for 1 seconds >Finished request 24 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 0 to 192.168.1.3 port 2051 >Waking up in 4 seconds... >--- Walking the entire request list --- >Cleaning up request 24 ID 0 with timestamp 467fea7b > >what might be the fault >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
I used numbers (123456) and it seems to work.seems?? when i use user:akim passwd:willy everything is allwright (redirection authentication on radius and message response ok.) using browsing the net but when i try to use another user (carl passwd:aniam or all the several users i created ) i have an access-reject message with following result: modcall[authorize]: module "pap" returns noop for request 24 modcall: leaving group authorize (returns ok) for request 24 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 24 modcall[authenticate]: module "unix" returns notfound for request 24 modcall: leaving group authenticate (returns notfound) for request 24 auth: Failed to validate the user. Delaying request 24 for 1 seconds Finished request 24 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 24 ID 0 with timestamp 467fea7b what might be the fault -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
Carl aniams wrote: > Be sure that i crossed check the shared secret on my server and on the > nas (the AP) yet nothing > i even changed them yet nothing Then either the MD5 libraries are broken, or the shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
Carl aniams wrote: ... > please any suggestion ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! What part of that message is unclear? Be sure that i crossed check the shared secret on my server and on the nas (the AP) yet nothing i even changed them yet nothing Alan DeKok. -- -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
1. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! 2. You have a DEFAULT entry in users file setting Auth-Type System. Comment it out. I assume your password is in the database. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Carl aniams" <[EMAIL PROTECTED]> piše: >hi >i am using freeradius 1.1.6 with mysql 4 on a fedora core 4 with a DD-WRT >v23 with enabled chilli. >i have the users created through the dialupadmin page. users are >successfully created but while trying to log through chilli i have the >following when i do radiusd -X >please any suggestion >welcome >Ready to process requests. >rad_recv: Access-Request packet from host 192.168.1.3:2051, id=0, length=197 >User-Name = "akim" >User-Password = >"\332%\300D\310\373h\345]\237\036\216\242\373\362\001" >NAS-IP-Address = 0.0.0.0 >Service-Type = Login-User >Framed-IP-Address = 192.168.182.2 >Calling-Station-Id = "00-90-4B-A4-D0-E8" >Called-Station-Id = "00-18-F8-68-09-F5" >NAS-Identifier = "hotspot" >Acct-Session-Id = "467fca8f" >NAS-Port-Type = Wireless-802.11 >NAS-Port = 0 >Message-Authenticator = 0x23a39f4c2fabd6436787a53362759cf8 >WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 >rlm_realm: No '@' in User-Name = "akim", looking up realm NULL >rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 >users: Matched entry DEFAULT at line 153 > modcall[authorize]: module "files" returns ok for request 0 >radius_xlat: 'akim' >rlm_sql (sql): sql_set_user escaped user --> 'akim' >radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >radcheck WHERE Username = 'akim' ORDER BY id' >rlm_sql (sql): Reserving sql socket id: 4 >radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, >radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM >radgroupcheck,usergroup WHERE usergroup.Username = 'akim' AND >usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' >radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >radreply WHERE Username = 'akim' ORDER BY id' >radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, >radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM >radgroupreply,usergroup WHERE usergroup.Username = 'akim' AND >usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' >rlm_sql (sql): Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok for request 0 >rlm_pap: Found existing Auth-Type, not changing it. > modcall[authorize]: module "pap" returns noop for request 0 >modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type System >auth: type "System" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 0 >rlm_unix: [akim]: invalid password > modcall[authenticate]: module "unix" returns reject for request 0 >modcall: leaving group authenticate (returns reject) for request 0 >auth: Failed to validate the user. > WARNING: Unprintable characters in the password. ? Double-check the >shared secret on the server and the NAS! >Delaying request 0 for 1 seconds >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 0 to 192.168.1.3 port 2051 >Waking up in 4 seconds... >--- Walking the entire request list --- >Cleaning up request 0 ID 0 with timestamp 467fb396 >Nothing to do. Sleeping until we see a request. > > >-- >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > >ANIAMBOSSOU Carl >NIAMS TECHNOLOGIES >tel: +229 90 04 08 58 +229 97 48 01 33 >COTONOU >REPUBLIC OF BENIN >WEST AFRICA > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
Carl aniams wrote: ... > please any suggestion ... > WARNING: Unprintable characters in the password. ? Double-check the > shared secret on the server and the NAS! What part of that message is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication failed
hi i am using freeradius 1.1.6 with mysql 4 on a fedora core 4 with a DD-WRT v23 with enabled chilli. i have the users created through the dialupadmin page. users are successfully created but while trying to log through chilli i have the following when i do radiusd -X please any suggestion welcome Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.3:2051, id=0, length=197 User-Name = "akim" User-Password = "\332%\300D\310\373h\345]\237\036\216\242\373\362\001" NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-90-4B-A4-D0-E8" Called-Station-Id = "00-18-F8-68-09-F5" NAS-Identifier = "hotspot" Acct-Session-Id = "467fca8f" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x23a39f4c2fabd6436787a53362759cf8 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "akim", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'akim' rlm_sql (sql): sql_set_user escaped user --> 'akim' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'akim' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'akim' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [akim]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 467fb396 Nothing to do. Sleeping until we see a request. -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_smbpasswd authentication failed
Ramses van Pinxteren <[EMAIL PROTECTED]> wrote: > How can I now enable the etc_passwd section? Simply putting > etc_passwd in the authorize section is not enough unfortunately. What's going wrong? The default "radiusd.conf" contains a sample configuration for etc_smbpasswd. Uncomment it, and add "etc_smbpasswd" to the authorization section. It WILL work. If it doesn't, once again, READ THE DEBUG OUTPUT. I hate playing "twenty questions". If you're not going to say what the server is doing, no one here will ever be able to help you. (Or want to help you, for that matter.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_smbpasswd authentication failed
Thanks for this answer. I now start to undaerstand the debugreport. How can I now enable the etc_passwd section? Simply putting etc_passwd in the authorize section is not enough unfortunately. So again: a big HELPP Thanks ramses Ramses van Pinxteren <[EMAIL PROTECTED]> wrote: When I start radius in debug mode, it shows me that authentication is progressing perfect (modcall: group authorize returns ok for request 0) However it still returns a accept-reject package. Did you *read* the debug output? rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 What part of that is unclear? It's doing authentication against /etc/passwd, and not using the password from the smbpasswd file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_smbpasswd authentication failed
Ramses van Pinxteren <[EMAIL PROTECTED]> wrote: > When I start radius in debug mode, it shows me that authentication is > progressing perfect (modcall: group authorize returns ok for request > 0) > > However it still returns a accept-reject package. Did you *read* the debug output? >rad_check_password: Found Auth-Type System > auth: type "System" >Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 >modcall[authenticate]: module "unix" returns notfound for request 0 What part of that is unclear? It's doing authentication against /etc/passwd, and not using the password from the smbpasswd file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
etc_smbpasswd authentication failed
Hi all!
I am trying to authenticate against a smbpasswd file with
freeradius-1.0.1 on a fedora core 3 machine.
When I start radius in debug mode, it shows me that authentication is
progressing perfect (modcall: group authorize returns ok for request
0)
However it still returns a accept-reject package.
I have the funny feeling I did miss a line somewhere in the radius.conf file.
Here is the console output. btw I started radius with with
# radiusd -sfxxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded DIGEST
Module: Instantiated digest (digest)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded attr_filter
attr_filter: attrsfile = "/etc/raddb/attrs"
rlm_attr_filter: Authorize method will be deprecated.
Module: Instantiated attr_filter (attr_filter)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded passwd
passwd: filename = "/etc/samba/smbpasswd"
passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
passwd: authtype = "MS-CHAP"
passwd: delimiter = ":"
passwd: ignorenislike = no
passwd: ignoreempty = yes
passwd: allowmultiplekeys = no
passwd: hashsize = 100
rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no
Module: Instantiated passwd (etc_smbpasswd)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module:
Calling-Station-Id + User-Password Authentication failed
Hi, I have setup RADIUS server using EAP/PEAP + MSCHAPv2. I have also using Mysql database for storing the Users passwords and Mac addresses. I have created 2 entries in the Radcheck file -- id UsernameAttribute Value op --- 1 Phani User-Password xyz123 == 2 Phani Calling-Station-Id 000d12345623== --- But the Authenticatiion gets failed saying that User authentication failed.. Is the above process correct ??? If not Can anyone suggest the way to bind User with his Password and Mac address so that only user with correct credentials can logon to net. Waiting for solution... Phani IIIT-Hyd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin - "Authentication Failed" problem.
"Shannon Sariman" <[EMAIL PROTECTED]> wrote: > I'm using freeradius-0.9.3 with MySQL and Dialup Admin on a RH 9.0 > machine in conjunction with a Cisco 2511 NAS. I've noticed that on > several occasions, accounting "stale sessions" have led to some users > been denied dialup access. Even though I when I clear all the stale > sessions How? > How can I rectify this so that the user "fred" is allowed access again? "radzap". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin - "Authentication Failed" problem.
Hi All, I'm using freeradius-0.9.3 with MySQL and Dialup Admin on a RH 9.0 machine in conjunction with a Cisco 2511 NAS. I've noticed that on several occasions, accounting "stale sessions" have led to some users been denied dialup access. Even though I when I clear all the stale sessions I still get the message below when running a user authentication test ,on say a user named "fred", (using the user Test Page that comes with Dialup admin):" Authentication failed Server response:Reply-Message = "\r\nYou are already logged in - access denied\r\n\n" ". How can I rectify this so that the user "fred" is allowed access again? Best regards, Shannon
Re: EAP-TTLS authentication failed
Rok Papez <[EMAIL PROTECTED]> wrote: > What is the benefit of using Inner EAP + CHAP over normal CHAP within TTLS ? Not much, if any. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS authentication failed
<[EMAIL PROTECTED]> wrote: > I ve installed freeRadius with EAP-TTLS. > i've done the configuration but i have always an access reject. for > a user who is in the users file. Because you did exactly the opposite of what the configuration files say. > rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. > TTLS: Got tunneled request > User-Name = "Rola" > User-Password = "testing" > Freeradius-Proxied-To = 127.0.0.1 This is the request in the tunnel. > modcall[authorize]: module "suffix" returns noop for request 5 > users: Matched Rola at 92 This line of your "users" file contains "Auth-Type := EAP" > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate for request 5 > rlm_eap: EAP-Message not found > rlm_eap: Malformed EAP Message > modcall[authenticate]: module "eap" returns fail for request 5 There is no EAP session in the tunneled request, and you have told the server to use EAP to authenticate the user. It's telling you that it can't. Please read the entire debug message. Please read "radiusd.conf", and the comments at the start of the "authenticate" section, in any CVS snapshot from the past month or so. Do NOT set "Auth-Type := EAP". Ever. It's wrong. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
