Re: eapol_test giving up and win-like error?
Il 20/01/2012 11:55, Phil Mayers ha scritto: If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. Just tested with radtest (have had to use single quotes and FOUR backslashes! -- my password is obviously in $P): # radtest -t mschap 'PERSONALEdiego.zuccato' $P localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = PERSONALE\\diego.zuccato NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x7f218889d9de0c84 MS-CHAP-Response = 0x000115ea491108aa02bb34b5fe79918a67cd8a7b069240091194 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123, length=84 MS-CHAP-MPPE-Keys = 0x3b1acd0b65d7af221df50f6ca50447cf MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 And the Access-Accept is quite fast. When using eapol_test, I get the timeout. The difference is that radtest seems to use mschapv1 while eapol_test uses mschapv2. What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes username and client nonce in the authenticator, while v1 doesn't. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eapol_test giving up and win-like error?
I mentioned exactly that last week but he disregarded it! Subject: Re: eapol_test giving up and win-like error? From: p.may...@imperial.ac.uk Date: Mon, 23 Jan 2012 10:12:08 + To: freeradius-users@lists.freeradius.org Phil Mayers p.may...@imperial.ac.uk wrote: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos. See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about invalid nt key until I restarted winbind which might be the issue. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 23/01/2012 11:02, Phil Mayers ha scritto: Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. So radtest isn't actually equivalent to eapol_test. It's just another step for testing. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. What do you mean by local user? One added in users file? I know it works (tested while following the guide), but it's not using mschapv2, IIUC... From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that script only generates NTLMv1 responses... And it references a quite old Samba version. I'm using 3.5.10. From comment 46: Yes, 3.5.6 has all necessary fixes for this issue. Unless the sernet packages do contain other changes, it should just work with those packages. I retested, adding winbind:forcesamlogon = True and eapol_test is now successful. Might be useful to add to the guide. Seems, after all, it's needed for recent SAMBA releases, too. Just for completeness my (now working) smb.conf is: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS restrict anonymous = 2 log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No idmap uid = 10-1 idmap gid = 10-1 template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config STUDENTI:range = 5000 - idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:backend = rid idmap config PERSONALE:range = 10 - 4999 idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:backend = rid idmap config STUDENTI:default = yes idmap config PERSONALE:default = no winbind:forcesamlogon = True [maybe the whole idmap could be removed, but better not to touch it once it's working...] No need to edit /etc/krb5.conf (interfacing to a native AD domain, so DNS records are OK for auto-discovery of Kerberos servers. Now it's Zeroshell's turn... Tks for the patience. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 13:01, Phil Mayers ha scritto: I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. But then it should fail immediately, not after a timeout! And an immediate failure is the result when I *disable* 'with_ntdomain_hack=yes' line in mschap. No changes even enabling ntdomain lines in 'default' and 'inner-tunnel' sites (IIUC those should only detect the domain, regardless of it being prefix or suffix). Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. Ok. I'm not going to change 'em. To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. That's exactly what I've done till now. The failures start when I enable the auth I need. The problem w/ CP is just an issue scheduled for later examination -- nothing configured yet to fix it. That's my 'hg diff' output (w/o the certs part) from the base config (from the tutorial): diff -r 434b2b3ededc clients.conf --- a/clients.conf Mon Jan 16 15:17:07 2012 +0100 +++ b/clients.conf Fri Jan 20 11:22:45 2012 +0100 @@ -232,3 +232,10 @@ # secret = testing123 #} #} + +client 137.204.65.161 { + secret = testing123qaz +} +client 137.204.65.96 { + secret = testing123qaz +} diff -r 434b2b3ededc modules/mschap --- a/modules/mschapMon Jan 16 15:17:07 2012 +0100 +++ b/modules/mschapFri Jan 20 11:22:45 2012 +0100 @@ -34,6 +34,7 @@ # corrects for that incorrect behavior. # #with_ntdomain_hack = no + #with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration @@ -63,4 +64,7 @@ # the best user name for the request. # #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} + ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} +# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}} --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} +# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } diff -r 434b2b3ededc modules/ntlm_auth --- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100 +++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100 @@ -8,5 +8,6 @@ # exec ntlm_auth { wait = yes - program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} +# program = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-PERSONALE} --username=%{mschap:User-Name} --password=%{User-Password} + program = /usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } diff -r 434b2b3ededc sites-available/default --- a/sites-available/default Mon Jan 16 15:17:07 2012 +0100 +++ b/sites-available/default Fri Jan 20 11:22:45 2012 +0100 @@ -116,7 +116,7 @@ # the other styles won't be checked. # suffix -# ntdomain + ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP @@ -306,6 +306,8 @@ # handled # override the updated code from attr_filter # } # } + +# ntlm_auth } @@ -347,7 +349,7 @@ # home server as authentication requests. # IPASS suffix -# ntdomain + ntdomain # # Read the 'acct_users' file diff -r 434b2b3ededc sites-available/inner-tunnel --- a/sites-available/inner-tunnel
Re: eapol_test giving up and win-like error?
On 01/20/2012 10:30 AM, NdK wrote: Il 19/01/2012 13:01, Phil Mayers ha scritto: I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. But then it should fail immediately, not after a timeout! Not so. And an immediate failure is the result when I *disable* 'with_ntdomain_hack=yes' line in mschap. That's a different failure mode. EAP/MS-CHAP works as follows: server: send random challenge bytes to client client: send response=crypto(password,challenge) to server server: send crypto(response,password) to client If validation of the 2nd item fails, you'll see an immediate failure at the FreeRADIUS end, because FreeRADIUS is doing the validation. If validation of the 3rd item fails, the client just stops - it gives up, and sends no further packets, because it thinks the server is fake / impersonating. That's why there's a timeout at the FreeRADIUS end. That's exactly what I've done till now. The failures start when I enable the auth I need. The problem w/ CP is just an issue scheduled for later examination -- nothing configured yet to fix it. That's my 'hg diff' output (w/o the certs part) from the base config (from the tutorial): If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE Hmm. I see from your original email that Samba ntlm_auth are succeeding. There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 10:03, Phil Mayers ha scritto: EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session. Hmm. I see from your original email that Samba ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :( There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10. Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
On 19/01/12 11:07, NdK wrote: Il 19/01/2012 10:03, Phil Mayers ha scritto: EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session. Yes. Hmm. I see from your original email that Samba ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :( There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10. That version should be ok; we're on 3.5.4 I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. Most people don't see this problem, so it's something specific to your setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
NdK wrote: I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get ... message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. Then read the error messages from eapol_test. Why does it stop? It should say. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 18/01/2012 15:25, Alan DeKok ha scritto: NdK wrote: I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get ... message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. Then read the error messages from eapol_test. Why does it stop? It should say. That's eapol_test output. I changed my AD pass to 'testing123' just for the time needed to test, so the values are the real ones. I can't see any error, just a timeout... There's a short delay before EAPOL: startWhen -- 0 and a long one just after. If needed, I logged output of freeradius -X for this run, too (not posted to avoid spamming the list too much -- nothing changed in its config). # eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz -a 137.204.65.163 Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf' Line: 4 - start of a new network block key_mgmt: 0xd proto: 0x3 group: 0x18 scan_ssid=1 (0x1) mode=0 (0x0) ssid - hexdump_ascii(len=8): 41 4c 4d 41 57 49 46 49 ALMAWIFI pairwise: 0x18 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 password - hexdump_ascii(len=10): 74 65 73 74 69 6e 67 31 32 33 testing123 identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato phase2 - hexdump_ascii(len=15): 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32 phase2=MSCHAPV2 ca_cert - hexdump_ascii(len=61): 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65 /home/ndk/Docume 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63 nti/Ufficio/CA/c 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20 erts/Astronomia 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74- Root CA.crt Priority group 0 id=0 ssid='ALMAWIFI' Authentication server 137.204.65.163:1812 RADIUS local address: 137.204.65.96:45959 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=28) TX EAP - RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=154 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=30 Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Attribute 80 (Message-Authenticator) length=18 Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e 1b 55 Attribute 80 (Message-Authenticator) length=18 Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS