Re: ttls problem
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed.
In addition to this when I enter correct username but wrong password, I got
similar debug log which i lised below.
I wasn't able to see any problem with ldap configuration because it works
with radtest command. (That is when i entered correct usrname but wrong
password, I got Access-Rejected message. When both of them was true, I got
Access-Accepted)
Is there a problem with my ldap configuration. Is there any weird message in
my debug log?
I am dealing with this thing about 20 days. Could anybody tell me whats
wrong with it?
Thanks in advance:
My full debug log: (username was entered true, password was entered false )
-
ldap:~ # radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.anadolu.edu.tr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=people,dc=anadolu,dc=edu,dc=tr
ldap: filter = (uid=%u)
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_1x-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x
rlm_ldap: Over-riding set_auth_type, as we're not listed in the
authenticate section.
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP
Re: ttls problem
tevfik wrote: I wasn't able to see any problem with ldap configuration because it works with radtest command. Which doesn't use EAP. It means that your server configuration is mostly correct, but something else might still go wrong. Is there a problem with my ldap configuration. Is there any weird message in my debug log? The supplicant is starting EAP, doing part of EAP, and then giving up. See the logs on the supplicant for why it's doing this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
tevfik,
Post the question in the SecureW2 forum, www.securew2.com/forum/. I will
get back to you via the forum.
Regards,
Tom
tevfik schreef:
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed.
In addition to this when I enter correct username but wrong password, I got
similar debug log which i lised below.
I wasn't able to see any problem with ldap configuration because it works
with radtest command. (That is when i entered correct usrname but wrong
password, I got Access-Rejected message. When both of them was true, I got
Access-Accepted)
Is there a problem with my ldap configuration. Is there any weird message in
my debug log?
I am dealing with this thing about 20 days. Could anybody tell me whats
wrong with it?
Thanks in advance:
My full debug log: (username was entered true, password was entered false )
-
ldap:~ # radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.anadolu.edu.tr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=people,dc=anadolu,dc=edu,dc=tr
ldap: filter = (uid=%u)
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_1x-Ldap-Group
Re: ttls problem
I posted the question to the forum.
Thank you for your help.
SecureW2 (List) wrote:
tevfik,
Post the question in the SecureW2 forum, www.securew2.com/forum/. I will
get back to you via the forum.
Regards,
Tom
tevfik schreef:
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed.
In addition to this when I enter correct username but wrong password, I
got
similar debug log which i lised below.
I wasn't able to see any problem with ldap configuration because it works
with radtest command. (That is when i entered correct usrname but wrong
password, I got Access-Rejected message. When both of them was true, I
got
Access-Accepted)
Is there a problem with my ldap configuration. Is there any weird message
in
my debug log?
I am dealing with this thing about 20 days. Could anybody tell me whats
wrong with it?
Thanks in advance:
My full debug log: (username was entered true, password was entered false
)
-
ldap:~ # radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.anadolu.edu.tr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=people,dc=anadolu,dc=edu,dc=tr
ldap: filter = (uid=%u)
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
Re: ttls problem
Can i post my radiusd.conf and eap.conf here. Would it be helpfull? A.L.M.Buxey wrote: Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10410941 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
My certificates have read write and execute permissions A.L.M.Buxey wrote: Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10411507 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
Hi again. I reconfigured securew2 but at this time i get received invalid server certificate error. Which part of my server certificate or root ca certificate could be missed. Could it be related with xpextensions. My radiusd for new configuration is listed below: -- Ready to process requests. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=93, length=139 User-Name = tkiziloren Framed-MTU = 1400 Called-Station-Id = 0017.0e85.f190 Calling-Station-Id = 0011.2fb9.d08b Service-Type = Login-User Message-Authenticator = 0x347739ec23b1b972260f284960b9fa26 EAP-Message = 0x0202000f01746b697a696c6f72656e NAS-Port-Type = Wireless-802.11 NAS-Port = 499 NAS-IP-Address = 10.10.7.203 NAS-Identifier = testbaum Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = tkiziloren, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 29 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0 rlm_ldap: bind as / to ldap.anadolu.edu.tr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_1x returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 93 to 10.10.7.203 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x9ae25e553dacaa7dd5a8f8c3b05a1636 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=94, length=202 User-Name = tkiziloren Framed-MTU = 1400 Called-Station-Id = 0017.0e85.f190 Calling-Station-Id = 0011.2fb9.d08b Service-Type = Login-User Message-Authenticator = 0xee6738dc415fc0906c869a55334f7f48 EAP-Message = 0x0203003c15800032160301002d0129030151574cfbb06da8313b8d207a29398758f18d010fd687534a1739da58174089f202000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 499 State = 0x9ae25e553dacaa7dd5a8f8c3b05a1636 NAS-IP-Address = 10.10.7.203 NAS-Identifier = testbaum Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = tkiziloren, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 29 modcall[authorize]: module files returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in
Re: ttls problem
Hi, However when i try to perform same task by using securew2 on XP client, it always shows attempting to authenticate, did you configure SecureW2 to allow new connections? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
