PEAP and MS-CHAPv2
I have written a week ago about the problem that with PEAP and MS-CHAPv2 authentication the authentication is repeated every minute and that Windows XP (with Service Pack 1) never gets the Accept back. I am using the included X Supplicant from Windows XP. When I use the Aegeis Client it works. Now I tried the same thing with Radiator and there it works like it should. Knows someone about this problem, or is there maybe a problem with the PEAP code in freeradius? Thanks Berndt - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows sending Hostname
I use Windows XP with PEAP for authentication The problem ist that in the uid at the Radius Server is always the following string: HOSTNAME\\USERNAME So our LDAP lookup is not working (requires only the username). Is there a possibility to extract only the username? Thanks Berndt - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting no results with LDAP
Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
The problem is solved! Sorry for the posting Thanks Berndt On Tue, 2003-12-16 at 15:09, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Repeating authentication all the time
The authentication now works and I see an Access Accept Packet at the end. But the interesting is that the authentication goes a few seconds later on and the same process is repeated. The Windows XP PC never gets really authenticated. The Access Point show that the authentication was successfull (RoamAbout R2) Has someone the same experience? Thanks Berndt Initializing the thread pool... Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.3.4.2:1043, id=136, length=116 Message-Authenticator = 0x649854dbce2d7bf0fcee43598bb647e6 User-Name = berndt.sevcik NAS-IP-Address = 10.3.4.2 Sending Access-Challenge of id 145 to 10.3.4.2:1043 EAP-Message = 0x01cc004a1900170301003ffbb7b7b2a9fc6b9e6cba07729cdb312818ca43307b7ec2a2ab3669b1d5b66f3a3df95d0b0adc9ef933a6b97961eb47099d149ffcc38d3f4ca2b16510ad77be Message-Authenticator = 0x State = 0x4cb24f3bbf150ffaf70f1305ee419e12 rad_recv: Access-Request packet from host 10.3.4.2:1043, id=146, length=145 Message-Authenticator = 0x2c0ff11621c9b0033f34fb6ea44546e7 User-Name = berndt.sevcik State = 0x4cb24f3bbf150ffaf70f1305ee419e12 NAS-IP-Address = 10.3.4.2 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-04-23-77-4b-a3 Framed-MTU = 1000 EAP-Message = 0x02cc001d1900170301001259680ad935701f4d4333b259e3773f36bf28 rlm_ldap: - authorize rlm_ldap: performing user authorization for berndt.sevcik ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x97BA4F3659E30573DB838CA8692897BC op=21 rlm_ldap: Adding lmPassword as LM-Password, value B1EE20160x1D73468FA91E548719C3AC6E op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user berndt.sevcik authorized to use remote access ldap_release_conn: Release Id: 0 PEAP: Got tunneled EAP-Message EAP-Message = 0x02cc00061a03 PEAP: Sending tunneled request EAP-Message = 0x02cc00061a03 Freeradius-Proxied-To = 127.0.0.1 User-Name = berndt.sevcik State = 0x1ea57825164814a89aa097aba563 rlm_ldap: - authorize rlm_ldap: performing user authorization for berndt.sevcik ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x97BA4F3659E30573DB838CA8692897BC op=21 rlm_ldap: Adding lmPassword as LM-Password, value B1EE20160x1D73468FA91E548719C3AC6E op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user berndt.sevcik authorized to use remote access ldap_release_conn: Release Id: 0 PEAP: Got tunneled reply RADIUS code 2 EAP-Message = 0x03cc0004 Message-Authenticator = 0x User-Name = berndt.sevcik Sending Access-Accept of id 146 to 10.3.4.2:1043 MS-MPPE-Recv-Key = 0x82040f0dd02ebaa84b2558e7067ce3f505fee4528a582a61c71762d4493c83e3 MS-MPPE-Send-Key = 0xaa9976081be52cdc089a854b705837c58c0e218b0f58a52f82585c06711400dd EAP-Message = 0x03cc0004 Message-Authenticator = 0x User-Name = berndt.sevcik Sending Access-Challenge of id 145 to 10.3.4.2:1043 EAP-Message = 0x01cc004a1900170301003ffbb7b7b2a9fc6b9e6cba07729cdb312818ca43307b7ec2a2ab3669b1d5b66f3a3df95d0b0adc9ef933a6b97961eb47099d149ffcc38d3f4ca2b16510ad77be Message-Authenticator = 0x State = 0x4cb24f3bbf150ffaf70f1305ee419e12 rad_recv: Access-Request packet from host 10.3.4.2:1043, id=146, length=145 Message-Authenticator = 0x2c0ff11621c9b0033f34fb6ea44546e7 User-Name = berndt.sevcik State = 0x4cb24f3bbf150ffaf70f1305ee419e12 NAS-IP-Address = 10.3.4.2 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-04-23-77-4b-a3 Framed-MTU = 1000 EAP-Message = 0x02cc001d1900170301001259680ad935701f4d4333b259e3773f36bf28 rlm_ldap: - authorize rlm_ldap: performing user authorization for berndt.sevcik ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x97BA4F3659E30573DB838CA8692897BC op=21 rlm_ldap: Adding lmPassword as LM-Password, value B1EE20160x1D73468FA91E548719C3AC6E op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user berndt.sevcik authorized to use remote access ldap_release_conn: Release Id: 0 PEAP: Got tunneled EAP-Message EAP-Message = 0x02cc00061a03 PEAP: Sending tunneled request EAP-Message = 0x02cc00061a03 Freeradius-Proxied-To = 127.0.0.1
Re: Getting no results with LDAP
The problem was the following line password = xxx The correct syntax is: password = xxx I copied this line from an earlier version of freeradius (about 0.9) and I think there it worked. But I updated also the openldap Server, so it is hard to say which part changed. Berndt On Tue, 2003-12-16 at 16:23, Kostas Kalevras wrote: On Tue, 16 Dec 2003, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Check your ldap server ACIs Check your ldap server logs freeradius normally just uses the openldap libs (which are used by ldapsearch) so there should be some kind of difference between the queries ran by each one. Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED
Re: Repeating authentication all the time
They are conectet via the same network (also the same switch). The funny thing is that the Access Point says that the Client is authenticated. Berndt On Tue, 2003-12-16 at 17:34, Guy Fraser wrote: Just a guess: Is there any firwall software/hardware that may not be allowing the acknowledgement to be returned to the NAS? Sevcik Berndt wrote: The authentication now works and I see an Access Accept Packet at the end. But the interesting is that the authentication goes a few seconds later on and the same process is repeated. The Windows XP PC never gets really authenticated. The Access Point show that the authentication was successfull (RoamAbout R2) Has someone the same experience? Thanks Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Microsoft PEAP
I have already testet freeRADIUS with EAP-TLS and it worked fine. Now I also want to offer PEAP authentication. How far is it implemented in freeradius now? Is it possible to use it with about 200 clients or should I wait till the code is more stable? Thanks Berndt - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA with other manufacurers than Cisco
At this mailing list there is a lot of discussion about VSA and Cisco Devices. When I have understand everything right Cisco uses an VSA calles cisco-avpair to transmit special information to clients. The problem is we are not using Cisco (we are using Enterasys RoamAbout R2). Is there a way to fin out which attributes the use or has someone experience with it? The Hompage of Enterasys and also the Search Engines where not able to find something. Thanks Berndt -- TGM - Die Schule der Technik IT - Service A - 1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLANs + other
Radius is now running with EAP/TLS (thanks for the great help for it). But now a few last questions. We are using Enterasys Access Points and they also offer the possibility to assign clients to vlans dynamically. I have searched a lot but found no information about it (for example which attribute to use). Has someone experience with this kind of problem? Is it possible to disengage a certificate from users so that the radius server will not accept it any more. One possible solution of disabling an account is to set Auth-Type to Reject but an other user can still use the certificate so I don`t like it really. Our Access Point also support EAP-TTLS. Will freeradius support this in future? And a last question! We are a school with about 2000 pupils. Has someone experience with the distribution of certificates and what you should care about it? The problem is we are using openssl to build our certificates. So we have to program something to make it easy for our students to request acertificate. Are there any existing products? Thanks. Berndt -- TGM - Die Schule der Technik IT - Service A - 1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digital Certificates + LDAP
I implemented 802.1x authentication with the following HOWTO www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm (EAP/TLS certificates and OpenSSL). We also have an running OpenLDAP Server running which has entries for all of our users. Is it possible to move all TLS certificates to LDAP and then let Freeradius look for them there? Which certificate file must be copied to LDAP (.der, .p12, .pem, ...)? Is there somewhere a Howto to do it? Thanks in advance for help. Berndt -- TGM - Die Schule der Technik IT - Service A - 1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian SSL_set_msg_callback
I am using a Debian (testing) System and just installed freeradius (Version:) When I start freeradius with the following command ITS-Test1:/usr/lib/freeradius# /usr/sbin/freeradius -X -A i get an error message like modcall: entering group authenticate rlm_eap: EAP packet type notification id 2 length 18 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls /usr/sbin/freeradius: relocation error: /usr/lib/freeradius/rlm_eap_tls-0.9-pre.so: undefined symbol: SSL_set_msg_callback When I check this with lddit seems that everything is okay. ITS-Test1:/usr/lib/freeradius# ldd/usr/lib/freeradius/rlm_eap_tls-0.9-pre.so libcrypto.so.0.9.6 = /usr/lib/i586/libcrypto.so.0.9.6 (0x4000c000) libssl.so.0.9.6 = /usr/lib/i586/libssl.so.0.9.6 (0x400c4000) libnsl.so.1 = /lib/libnsl.so.1 (0x400f1000) libresolv.so.2 = /lib/libresolv.so.2 (0x40104000) libpthread.so.0 = /lib/libpthread.so.0 (0x40114000) libc.so.6 = /lib/libc.so.6 (0x40163000) libdl.so.2 = /lib/libdl.so.2 (0x40273000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) I am using the following versions: OpenSSL0.9.7b-2 Freeradius 0.8.1+0.9pre20030617-1 Does someone know this problem or knows a solution? Regards Berndt -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: Binding error RADIUS / LDAP
Try to switch LDAP logging on to see whats going wrong. For example Openldap Add a loglevel line to your slapd.conf (see different Log Levels in man slapd.conf). -- TGM - Die Schule der Technik IT - Service A - 1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -- -Ursprüngliche Nachricht- Von: Octavio Ramirez Rojas [mailto:[EMAIL PROTECTED] Gesendet: Keines An: [EMAIL PROTECTED] Betreff: Binding error RADIUS / LDAP vsq.fr [EMAIL PROTECTED] [EMAIL PROTECTED] a.prism.uvsq.fr [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8-3mdk Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 X-Antivirus: scanned by sophie at soleil.uvsq.fr X-Antivirus: checked by AntiVir MailGate (version: 2.0.1.6; AVE: 6.21.0.0; VDF: 6.21.0.11; host: tgm.ac.at) Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: [EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Subscribe: http://lists.cistron.nl/mailman/listinfo/freeradius-users, mailto:[EMAIL PROTECTED] List-Id: FreeRadius users mailing list freeradius-users.lists.cistron.nl List-Unsubscribe: http://lists.cistron.nl/mailman/listinfo/freeradius-users, mailto:[EMAIL PROTECTED] List-Archive: http://lists.cistron.nl/pipermail/freeradius-users/ Date: 12 Aug 2003 14:50:51 +0200 Hi, I running radius in mode debug (radiusd -X -A) I have one LDAP database (*.dbm), that contiens: dn: cn=octavio,ou=MemberGroupA,dc=prism,dc=fr cn: octavio sn: Ramirez ou: MemberGroupA userpassword: octaviosecret -- Server LDAP and RADIUS are installed into the same machine. When I execute radtest: #radtest -d /usr/local/etc/raddb octavio octaviosecret localhost 1 secret I have this effect in debug mode: rlm_ldap: - authorize rlm_ldap: performing user authorization for octavio radius_xlat: '(uid=octavio)' radius_xlat: 'dc=prism,dc=fr' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=prism,dc=fr/secret to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: cn=Manager,dc=prism,dc=fr bind to localhost:389 failed Protocol error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail modcall: group authorize returns fail There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 *** How can I bind LDAP server? Regards Octavio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authentication problems with EAP/TLS (and Enterasys)
No the server just stops here with the message Finished request 1 Going to the next request Waking up in 6 seconds... Then the same process is continued 3 times (configured on AP). There is no accept or reject. Regards Berndt Sevcik Berndt [EMAIL PROTECTED] wrote: I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access Point with freeradius. But the client get never authenticated. Does the server send a reject? Output from radius.log: ri Aug 8 10:52:28 2003 : Info: rlm_eap_tls: Length Included Fri Aug 8 10:52:28 2003 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Aug 8 10:52:28 2003 : Info: rlm_eap_tls: SSL_read Error Fri Aug 8 10:52:28 2003 : Error: Error code is . 2 Fri Aug 8 10:52:28 2003 : Error: SSL Error . 2 Those are recoverable errors. The server continues sending EAP packets, so they're not a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian compilation problems
Thanks for the help it works now. But you have to change the lines in src/modules/rlm_dbm/configure (line 1445 and 1566). Chaning it in confugre.in and then running autoconf has not worked. No idea why. Regards Berndt On Fri, 2003-08-08 at 10:00, Nicolas Baradakis wrote: Paul Hampson wrote: Jan Berkel wrote: try changing line 70 in src/modules/rlm_dbm/configure.in: - if test x$ac_cv_lib_gdbm_dbm_open != xyes; then + if test x$ac_cv_lib_gdbm_compat_dbm_open != xyes; then ... and after that run autoconf to generate a correct configure script. From the description above, wouldn't this fix break attempts to build with libgdbm2? Or was it just a typo the first time? I never tried it with libgdbm2 which is now neither in woody nor in sarge but it seems clearly it's a typo when you read the lines above and below the test. AC_SMART_CHECK_LIB(gdbm_compat, dbm_open) - if test x$ac_cv_lib_gdbm_dbm_open != xyes; then + if test x$ac_cv_lib_gdbm_compat_dbm_open != xyes; then fail=$fail (libndbm or libgdm) fi Indeed the macro AC_SMART_CHECK_LIB() sets the variable ac_cv_lib_${sm_lib_safe}_${sm_func_safe} when the library is found. So you're supposed to test ac_cv_lib_gdbm_compat_dbm_open and not ac_cv_lib_gdbm_dbm_open. -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why is the request not rejected?
I am using EAP/TLS authentication. I have created an empty users file. The comments in the users file said when there is no match the Request will be rejected. Why I am getting an Access-Accept? Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/1x/ITSTest1.pem tls: certificate_file = /etc/1x/ITSTest1.pem tls: CA_file = /etc/1x/root.pem tls: private_key_password = whatever tls: dh_file = /etc/1x/DH tls: random_file = /etc/1x/random tls: fragment_size = 1000 tls: include_length = yes rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/freeradius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.14:1289, id=40, length=116 Message-Authenticator = 0x137825d712d20c60a3f285408e8e3798 User-Name = Sevcik Berndt NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-3d-7c EAP-Message = 0x020100120153657663696b204265726e6474 Framed-MTU = 1000 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type response id 1 length 18
Re: Authentication problems with EAP/TLS (and Enterasys)
nastype = other has not worked. The situation is the same than before. I have also not the possibility to use an other AP. Berndt On Fri, 2003-08-08 at 13:33, diomedes wrote: Hi, Try to put in clients.conf, in the lines of the NAS the following attribute nastype = other I had a similar problem and with that line all goes perfectly ( or nearly) Good luck Other possibility is to try authenticate with the same configuration but with other AP, if it's possible. Regards. Omar Sevcik Berndt wrote: I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access Point with freeradius. But the client get never authenticated. My problem that I have no idea where I should search for the error. I used the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup. Output from freeradius -X -A: Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253, length=116 Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d User-Name = Sevcik Berndt NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-3d-7c EAP-Message = 0x024400120153657663696b204265726e6474 Framed-MTU = 1000 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type response id 68 length 18 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = Sevcik Berndt, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched Sevcik Berndt at 216 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled modcall: group authenticate returns handled Sending Access-Challenge of id 253 to 10.0.4.14:1205 EAP-Message = 0x014500060d20 Message-Authenticator = 0x State = 0x1c0ccba6d22ad97dab13096d340f0290 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254, length=196 Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59 User-Name = Sevcik Berndt State = 0x1c0ccba6d22ad97dab13096d340f0290 NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-3d-7c Framed-MTU = 1000 EAP-Message = 0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type response id 69 length 80 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = Sevcik Berndt, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched Sevcik Berndt at 216 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 undefined: before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 063c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00a0], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled modcall: group authenticate returns handled Sending Access-Challenge of id 254 to 10.0.4.14:1205 EAP-Message
AW: AW: Authentication problems with EAP/TLS (and Enterasys)
I found the problem. In radiusd.conf fragment_size was set to 1024. I tried different values and then it worked with 500. But I have not really an idea what I have done with this line. Does someone know more about it? Thanks. Berndt No the server just stops here with the message Finished request 1 Going to the next request Waking up in 6 seconds... Then the same process is continued 3 times (configured on AP). There is no accept or reject. So the AP doesn't like the reply from the server. Find out why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problems with EAP/TLS (and Enterasys)
I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access Point with freeradius. But the client get never authenticated. My problem that I have no idea where I should search for the error. I used the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup. Output from freeradius -X -A: Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253, length=116 Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d User-Name = Sevcik Berndt NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-3d-7c EAP-Message = 0x024400120153657663696b204265726e6474 Framed-MTU = 1000 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type response id 68 length 18 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = Sevcik Berndt, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched Sevcik Berndt at 216 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled modcall: group authenticate returns handled Sending Access-Challenge of id 253 to 10.0.4.14:1205 EAP-Message = 0x014500060d20 Message-Authenticator = 0x State = 0x1c0ccba6d22ad97dab13096d340f0290 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254, length=196 Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59 User-Name = Sevcik Berndt State = 0x1c0ccba6d22ad97dab13096d340f0290 NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-01-f4-ec-3d-7c Framed-MTU = 1000 EAP-Message = 0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type response id 69 length 80 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = Sevcik Berndt, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched Sevcik Berndt at 216 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 undefined: before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 063c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00a0], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled modcall: group authenticate returns handled Sending Access-Challenge of id 254 to 10.0.4.14:1205 EAP-Message = 0x0146040a0dc00735160301004a024603013f3371d4fe8d552850335d9175f699f43cd56559f163ff0b5ff946dacb6a1374206ca02c80ec917fa450bd683bec1717b4a30e22a02f22c4415966534ce01d79ab000400160301063c0b0006380006350002a8308202a43082020da003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024154310f300d060355040813065669656e6e613121301f060355040a131854474d202d20536368756c652064657220546563686e696b31133011060355040b130a49542d53657276696365311830160603550403130f54474d20576972656c657373204341311c30 EAP-Message
Debian compilation problems
I tried to comile an actual deb Package of the current CVS freeradius version with dpkg-buildpackage. Shortly after the begin the process stops with checking for gdbm/ndbm.h... no checking for gdbm-ndbm.h... yes checking for dbm in default lib... no checking for dbm_open in -lndbm... no checking for dbm_open in -lgdbm... no checking for dbm_open in -lgdbm_compat... yes configure: warning: FAILURE: rlm_dbm requires: (libndbm or libgdm). configure: error: set --without-rlm_dbm to disable it explicitly. configure: error: ./configure failed for src/modules/rlm_dbm make: *** [build-simple] Error 1 ITS-Test1:/etc/1x/radiusd# I am using a testing Debian distribution with all updates installed Does someone know this problem? Regards Berndt -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html