Re: Help with proxy settings please
Hi, > [suffix] Looking up realm "gcu.ac.uk" for User-Name =3D "radldapu...@gcu.ac= > .uk" > [suffix] Found realm "GCU.AC.UK" okay, the server has gcu.ac.uk in proxy.conf - so the realm module knows to deal with it... > [suffix] Preparing to proxy authentication request to realm "GCU.AC.UK" okay > Sending Access-Request of id 98 to 10.1.1.78 port 1812 soyou've configured the server to send such requests to 10.1.1.78 ..which isnt answering > We are trying to locate where we would reference our internal AD within eit= > her proxy.conf and/or clients.conf. or should ntlm do this automatically...= when you say 'reference' do you mean eg sending the request to NPS on an AD system - or do you mean authenticating the request actually on your FR box? if the first, then configure proxy.conf to send your requests to the NPS box. if the later, configure FR to handle the request - edit mschap module to call ntlm_auth with your required settings. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with proxy settings please
hi, this wasnt proxying an authentication request - it wasdealing with it direct (and failing when doing the auth) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with proxy settings please
On 01/12/2012 04:08 PM, lmgo5991 wrote:
Hi Phil,
Thanks for you quick response. Just to clarify what we have succeeded in t=
o date:
1. Install Samba done
2. Join Samba to the domain done
3. Start winbind done
4. Configure FreeRADIUS to use ntlm_auth to check MSCHAP against the
AD controllers done
After finding the updated changes for fr v2 we ran the radius -X are are no=
w receiving the following:-
rad_recv: Access-Request packet from host 10.1.5.4 port 32768, id=3D193, le=
ngth=3D256
User-Name =3D "radldapu...@gcu.ac.uk"
Calling-Station-Id =3D "00:24:2c:7a:d8:7d"
Called-Station-Id =3D "00:26:cb:80:33:20:eduroam"
NAS-Port =3D 29
Cisco-AVPair =3D "audit-session-id=3D0a010504026d4f0f0224"
NAS-IP-Address =3D 10.1.5.4
NAS-Identifier =3D "CLIC_WiSM_A"
Airespace-Wlan-Id =3D 9
Service-Type =3D Framed-User
Framed-MTU =3D 1300
NAS-Port-Type =3D Wireless-802.11
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
Tunnel-Private-Group-Id:0 =3D "914"
EAP-Message =3D 0x0202001a017261646c64617075736572406763752e61632e7=
56b
Message-Authenticator =3D 0x569f3fe4b0f6cc0bacb1451b037bb5e3
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/=
default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "gcu.ac.uk" for User-Name =3D "radldapu...@gcu.ac=
.uk"
[suffix] Found realm "GCU.AC.UK"
[suffix] Adding Stripped-User-Name =3D "radldapuser"
[suffix] Adding Realm =3D "GCU.AC.UK"
[suffix] Proxying request from user radldapuser to realm GCU.AC.UK
[suffix] Preparing to proxy authentication request to realm "GCU.AC.UK"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm GCU.AC.UK. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 98 to 10.1.1.78 port 1812
This is a completely different config, behaving completely differently
to your previous post. Now, you are proxying everything to an external
server.
The proxy destination:
10.1.1.78
...isn't responding, which is why it isn't working.
We are trying to locate where we would reference our internal AD within eit=
her proxy.conf and/or clients.conf. or should ntlm do this automatically...=
..
I think you have made a fundamental misunderstanding.
If you are proxying a request, you are sending it to a different radius
server. You don't "reference your AD servers" or use ntlm.
If you are proxying, the destination radius server does all the work.
What do you want to do here? Proxy, or authenticate? You can't do both.
If you want to authenticate, don't proxy. If you want to proxy, make the
proxy destination reply.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with proxy settings please
sage-Authenticator =3D 0x
Proxy-State =3D 0x313933
Waking up in 12.0 seconds.
rad_recv: Access-Request packet from host 10.1.5.4 port 32768, id=3D193, le=
ngth=3D256
Sending duplicate proxied request to home server 10.1.1.78 port 1812 - ID: =
98
Sending Access-Request of id 98 to 10.1.1.78 port 1812
User-Name =3D "radldapuser"
Calling-Station-Id =3D "00:24:2c:7a:d8:7d"
Called-Station-Id =3D "00:26:cb:80:33:20:eduroam"
NAS-Port =3D 29
Cisco-AVPair =3D "audit-session-id=3D0a010504026d4f0f0224"
NAS-IP-Address =3D 10.1.5.4
NAS-Identifier =3D "CLIC_WiSM_A"
Airespace-Wlan-Id =3D 9
Service-Type =3D Framed-User
Framed-MTU =3D 1300
NAS-Port-Type =3D Wireless-802.11
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
Tunnel-Private-Group-Id:0 =3D "914"
EAP-Message =3D 0x0202001a017261646c64617075736572406763752e61632e7=
56b
Message-Authenticator =3D 0x
Proxy-State =3D 0x313933
Waking up in 9.9 seconds.
rad_recv: Access-Request packet from host 10.1.5.4 port 32768, id=3D193, le=
ngth=3D256
Sending duplicate proxied request to home server 10.1.1.78 port 1812 - ID: =
98
Sending Access-Request of id 98 to 10.1.1.78 port 1812
User-Name =3D "radldapuser"
Calling-Station-Id =3D "00:24:2c:7a:d8:7d"
Called-Station-Id =3D "00:26:cb:80:33:20:eduroam"
NAS-Port =3D 29
Cisco-AVPair =3D "audit-session-id=3D0a010504026d4f0f0224"
NAS-IP-Address =3D 10.1.5.4
NAS-Identifier =3D "CLIC_WiSM_A"
Airespace-Wlan-Id =3D 9
Service-Type =3D Framed-User
Framed-MTU =3D 1300
NAS-Port-Type =3D Wireless-802.11
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
Tunnel-Private-Group-Id:0 =3D "914"
EAP-Message =3D 0x0202001a017261646c64617075736572406763752e61632e7=
56b
Message-Authenticator =3D 0x
Proxy-State =3D 0x313933
Waking up in 7.9 seconds.
rad_recv: Access-Request packet from host 10.1.5.4 port 32768, id=3D193, le=
ngth=3D256
Sending duplicate proxied request to home server 10.1.1.78 port 1812 - ID: =
98
Sending Access-Request of id 98 to 10.1.1.78 port 1812
User-Name =3D "radldapuser"
Calling-Station-Id =3D "00:24:2c:7a:d8:7d"
Called-Station-Id =3D "00:26:cb:80:33:20:eduroam"
NAS-Port =3D 29
Cisco-AVPair =3D "audit-session-id=3D0a010504026d4f0f0224"
NAS-IP-Address =3D 10.1.5.4
NAS-Identifier =3D "CLIC_WiSM_A"
Airespace-Wlan-Id =3D 9
Service-Type =3D Framed-User
Framed-MTU =3D 1300
NAS-Port-Type =3D Wireless-802.11
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
Tunnel-Private-Group-Id:0 =3D "914"
EAP-Message =3D 0x0202001a017261646c64617075736572406763752e61632e7=
56b
Message-Authenticator =3D 0x
Proxy-State =3D 0x313933
Waking up in 5.9 seconds.
rad_recv: Access-Request packet from host 10.1.5.4 port 32768, id=3D193, le=
ngth=3D256
Sending duplicate proxied request to home server 10.1.1.78 port 1812 - ID: =
98
Sending Access-Request of id 98 to 10.1.1.78 port 1812
User-Name =3D "radldapuser"
Calling-Station-Id =3D "00:24:2c:7a:d8:7d"
Called-Station-Id =3D "00:26:cb:80:33:20:eduroam"
NAS-Port =3D 29
Cisco-AVPair =3D "audit-session-id=3D0a010504026d4f0f0224"
NAS-IP-Address =3D 10.1.5.4
NAS-Identifier =3D "CLIC_WiSM_A"
Airespace-Wlan-Id =3D 9
Service-Type =3D Framed-User
Framed-MTU =3D 1300
NAS-Port-Type =3D Wireless-802.11
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
Tunnel-Private-Group-Id:0 =3D "914"
EAP-Message =3D 0x0202001a017261646c64617075736572406763752e61632e7=
56b
Message-Authenticator =3D 0x0000
Proxy-State =3D 0x313933
Waking up in 3.9 seconds.
Cleaning up request 0 ID 193 with timestamp +14
Marking home server 10.1.1.78 port 1812 as zombie (it looks like it is dead=
).
Ready to process requests.
We are trying to locate where we would reference our internal AD within eit=
her proxy.conf and/or clients.conf. or should ntlm do this automatically...=
..
Ps we are not trying to use ldap sorry for the mis leading test user id :).
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Help-with-proxy-settings-please-tp5139910p5140289.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with proxy settings please
On 01/12/2012 01:23 PM, lmgo5991 wrote:
Hi,
Could someone please shed some light on the where we are going wrong. We
have followed the documentation provided however it is unclear where to
reference our internal ad servers.
Your subject line is a bit confusing. You say "proxy settings" but I see
no evidence that you are doing any proxying; you appear to just be doing
normal local authentication.
It seems you are trying to do PEAP/MSCHAP. Validating MSCHAP requires
either:
1. The NT hash
2. The plaintext password, from which the NT hash can be generated
3. Access to a 3rd party machine that can check the challenge/response
for you
See:
http://deployingradius.com/documents/protocols/compatibility.html
If your account details are stored in active directory, you can only use
option 3. This translates into:
1. Install Samba
2. Join Samba to the domain
3. Start winbind
4. Configure FreeRADIUS to use ntlm_auth to check MSCHAP against the
AD controllers
See:
http://wiki.freeradius.org/FreeRADIUS%20Active%20Directory%20Integration%20HOWTO
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: radldapu...@gcu.ac.uk
[mschap] Told to do MS-CHAPv2 for radldapu...@gcu.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
As you can see, FreeRADIUS can't check your password because it doesn't
know it.
Note: you CANNOT USE LDAP to solve this problem. Active Directory does
not expose the required data over LDAP. You MUST use Samba & ntlm_auth.
Hope this helps.
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with proxy settings please
reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
radldapu...@gcu.ac.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 143 to 10.1.5.4 port 32768
EAP-Message = 0x040b0004
Message-Authenticator = 0x
Waking up in 3.8 seconds.
Cleaning up request 0 ID 134 with timestamp +16
Cleaning up request 1 ID 135 with timestamp +16
Cleaning up request 2 ID 136 with timestamp +16
Cleaning up request 3 ID 137 with timestamp +16
Cleaning up request 4 ID 138 with timestamp +17
Cleaning up request 5 ID 139 with timestamp +17
Cleaning up request 6 ID 140 with timestamp +17
Cleaning up request 7 ID 141 with timestamp +17
Cleaning up request 8 ID 142 with timestamp +17
Waking up in 1.0 seconds.
Cleaning up request 9 ID 143 with timestamp +17
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Help-with-proxy-settings-please-tp5139910p5139910.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
