The file "proxy.txt" is the freeradius that receive de request from Switch.
The file "realmTESTE.txt" is the freeradius that will authenticate users for domain TESTE. At this moment, the autentication is in files.
Dustin Doris wrote:
Do you have nostrip setup in proxy.conf to not strip the username? Please post debug info (radiusd -X).
On Fri, 28 Jan 2005, Israel Fabio Alves wrote:
I do not know right if is a problem of freeradius, it is possible that is my configuration.
When I do a test using just the user and password, I loggin OK, but when using username, password and domain, occurr the login failed.
If somebody have information taht help me, I will very happy.
Alan DeKok wrote:
Israel Fabio Alves <[EMAIL PROTECTED]> wrote:
I try to do 802.1x with proxy autentication, when user loggin from Windows XP, he put username, password and domain. The Switch will send a request authentication for a freeradius server, that will proxy the request conform user domain. When a try this, I get the erros bellow.
What part of the errors are unclear?
Sending Access-Request of id 0 to 172.22.3.69:1812
...
rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108
The other server rejected the user. Why would you think this is a problem in FreeRADIUS?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/radius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.0.47:1814, id=0, length=97 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x0195a000df15f453a0effe23b403fb50 Proxy-State = 0x323534 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_realm: No '@' in User-Name = "israel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched israel at 18 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [israel/<no User-Password attribute>] (from client radius port 0 cli 0.0.0.0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 172.22.0.47:1814 Extreme-Netlogin-Url = "http://172.22.2.180" Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" Proxy-State = 0x323534 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 41fa778b Nothing to do. Sleeping until we see a request.
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/radius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "TESTE" rlm_realm: Adding Stripped-User-Name = "israel" rlm_realm: Proxying request from user israel to realm TESTE rlm_realm: Adding Realm = "TESTE" rlm_realm: Preparing to proxy authentication request to realm "TESTE" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 172.22.3.69:1812 User-Name = "israel" EAP-Message = 0x020100110154455354455c69737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323534 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108 Extreme-Netlogin-Url = "http://172.22.2.180" Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" Proxy-State = 0x323534 Login incorrect (Home Server says so): [israel/<no User-Password attribute>] (from client extreme port 0 cli 0.0.0.0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254, length=98 Sending Access-Reject of id 254 to 172.22.2.32:1746 Extreme-Netlogin-Url = "http://172.22.2.180" Extreme-Netlogin-Url-Desc = "Extreme Networks Home" Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "servers" --- Walking the entire request list --- Waking up in 5 seconds...