------------------------------ Message: 5 Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT) From: paul trader <flip...@igolinux.com> To: freeradius-users@lists.freeradius.org Subject: pap always returns noop for windows dialup authentication Message-ID: <alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box w/ all latest updates, i installed freeradius v2, added one username and password to /etc/raddb/users: test Cleartext-Password := "testing" and the radtest command-line authentication works. i then added one client for our blade server to /etc/raddb/clients.conf: client x.x.x.x { secret = xxxxx shortname = 3coms } substituting the correct ip and secret for the x's. testing from my linux box w/ a modem, authentication works. output from radiusd -X shows all is well, my linux box receives an ip address and dns servers. relavant -X debug output shows: ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "testing" [pap] User authenticated successfully ++[pap] returns ok however, when trying to authenticate from a windows box, authentication fails. every time. i've tried it from a windows xp machine and 2 windows 7 machines. the debug output always says: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject i've been over and over everything a dozen times, have tried changing the windows dialup security settings to use pap only, and also have tried adding the following line to the users file: Auth-Type = PAP even though everything i've read said not to do that. still doesn't work. the only changes i've made to the default installation are to the users and clients.conf files. i have spent hours searching the internet for a similar problem/solution and come up empty. windows boxes will not authenticate, pap always returns noop, and the user is rejected. am i doing something glaringly wrong, or just going plain crazy? regards, paul ------------------------------ Hi Paul, Your not crazy for sure. The problem authenticating with Windows boxen is that they only support MSCHAPv2… kudos to Microsoft. Regards, Rui On 23 September 2013 18:17, <freeradius-users-requ...@lists.freeradius.org>wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: FreeRadius Error " Access Rejected" Only On Some CISCO > Switch Ports (Alan DeKok) > 2. FreeRadius Error " Access Rejected" Only On Some CISCO Switch > Ports (Daniel Baker) > 3. Re: FreeRadius Error " Access Rejected" Only On Some CISCO > Switch Ports (Daniel Baker) > 4. EAP-TLS Authentication (arvind132 .) > 5. pap always returns noop for windows dialup authentication > (paul trader) > 6. Re: pap always returns noop for windows dialup authentication > (Phil Mayers) > 7. Re: pap always returns noop for windows dialup authentication > (paul trader) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 23 Sep 2013 09:18:28 -0400 > From: Alan DeKok <al...@deployingradius.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO > Switch Ports > Message-ID: <52403fa4.5090...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Daniel Baker wrote: > > [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) > > [ldap] object not found > > [ldap] search failed > > What part of that is unclear? > > > What can I try to fix the authentication issues so that all ports are > being successfully authenticated ? > > Ensure that the people logging in have accounts in ldap. > > Alan DeKok. > > > ------------------------------ > > Message: 2 > Date: Mon, 23 Sep 2013 20:39:44 +0700 > From: Daniel Baker <i...@collisiondetection.biz> > To: freeradius-users@lists.freeradius.org > Subject: FreeRadius Error " Access Rejected" Only On Some CISCO Switch > Ports > Message-ID: <524044a0.8000...@collisiondetection.biz> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > Hi Guys, we are trying to get Free Radius to authenticate our users who > connect through a Cisco Small Business POE switch. > > > When testing authentication with a shutdown / no shutdown command on > port fa/17 which has an IP phone connected to it we receive the > following errors: > > FREE RADIUS : > > [ldap] expand: %{User-Name} -> root > [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root) > [ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local > [ldap] ldap_get_conn: Checking Id: 0 > [ldap] ldap_get_conn: Got Id: 0 > [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) > [ldap] object not found > [ldap] search failed > [ldap] ldap_release_conn: Release Id: 0 > ++[ldap] returns notfound > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > ERROR: No authenticate method (Auth-Type) found for the request: > Rejecting the user > Failed to authenticate the user. > Login incorrect ( [ldap] User not found): [root/trash] (from client > LTC-ROUTER port 2) > Using Post-Auth-Type Reject > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> root > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 12 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 12 > Sending Access-Reject of id 31 to 192.168.1.1 port 1645 > Waking up in 4.9 seconds. > Cleaning up request 12 ID 31 with timestamp +10922 > Ready to process requests. > > CISCO POE SWITCH: > > > SW-BN3-PoE(config-if)#shutdown > SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17 > > SW-BN3-PoE(config-if)# > SW-BN3-PoE(config-if)#no shutdown > SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP > status Forwarding > 23-Sep-2013 14:17:42 %LINK-I-Up: fa17 > 23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC > 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or > password in Radius server > 23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3) > 23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, > aggregated (3) > 23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3) > 23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC > 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or > password in Radius server, aggregated (1) > > > > > However when we try the same test on a port that has a PC connected to > it we do not receive such an error. > > The CISCO switch says that we have the wrong user name and the Free > Radius log says access rejected. Why would this only be the case when > a CISCO IP phone tries to authenticate? > > The Cisco switch port configurations are exactly the same and are as > follows : > > dot1x max-req 1 > dot1x reauthentication > dot1x timeout quiet-period 30 > dot1x mac-authentication mac-only > dot1x port-control auto > storm-control broadcast enable > storm-control broadcast level 10 > storm-control include-multicast > spanning-tree portfast > macro description "no_ip_phone_desktop | ip_phone_desktop" > switchport trunk allowed vlan add 100 > macro auto smartport type ip_phone_desktop > > What can I try to fix the authentication issues so that all ports are > being successfully authenticated ? > > > Thanks for your assistance, > > Dan > > > > > > > > > > > > > > > > ------------------------------ > > Message: 3 > Date: Mon, 23 Sep 2013 21:01:49 +0700 > From: Daniel Baker <i...@collisiondetection.biz> > To: freeradius-users@lists.freeradius.org > Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO > Switch Ports > Message-ID: <524049cd.6030...@collisiondetection.biz> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Thank you Alan I will pursue that line of inquiry further. > > > On 9/23/2013 8:18 PM, Alan DeKok wrote: > > Daniel Baker wrote: > >> [ldap] performing search in dc=citlao,dc=local, with filter > (uid=root) > >> [ldap] object not found > >> [ldap] search failed > > What part of that is unclear? > > > >> What can I try to fix the authentication issues so that all ports are > being successfully authenticated ? > > Ensure that the people logging in have accounts in ldap. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > ------------------------------ > > Message: 4 > Date: Mon, 23 Sep 2013 20:15:14 +0530 > From: "arvind132 ." <arvind...@gmail.com> > To: freeradius-users@lists.freeradius.org > Subject: EAP-TLS Authentication > Message-ID: > <CABNrktRU1J02n-yAmcpYj8rxq5Sg79NtUf= > syryxnj06ank...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > I am facing some issues with 802.1x EAP-TLS Authentication. > Please suggest any document which can help in better understanding on TLS > Authentication. > Thanks. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html > > > > ------------------------------ > > Message: 5 > Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT) > From: paul trader <flip...@igolinux.com> > To: freeradius-users@lists.freeradius.org > Subject: pap always returns noop for windows dialup authentication > Message-ID: > <alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local> > Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII > > > hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box > w/ all latest updates, i installed freeradius v2, added one username and > password to /etc/raddb/users: > > test Cleartext-Password := "testing" > > and the radtest command-line authentication works. i then added one > client for our blade server to /etc/raddb/clients.conf: > > client x.x.x.x { > secret = xxxxx > shortname = 3coms > } > > substituting the correct ip and secret for the x's. > > testing from my linux box w/ a modem, authentication works. output from > radiusd -X shows all is well, my linux box receives an ip address and dns > servers. relavant -X debug output shows: > > ++[pap] returns updated > Found Auth-Type = PAP > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group PAP {...} > [pap] login attempt with password "testing" > [pap] Using clear text password "testing" > [pap] User authenticated successfully > ++[pap] returns ok > > however, when trying to authenticate from a windows box, authentication > fails. every time. i've tried it from a windows xp machine and 2 windows > 7 machines. the debug output always says: > > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > ERROR: No authenticate method (Auth-Type) found for the request: Rejecting > the user > Failed to authenticate the user. > Using Post-Auth-Type Reject > > i've been over and over everything a dozen times, have tried changing the > windows dialup security settings to use pap only, and also have tried > adding the following line to the users file: > > Auth-Type = PAP > > even though everything i've read said not to do that. still doesn't work. > the only changes i've made to the default installation are to the users > and clients.conf files. i have spent hours searching the internet for a > similar problem/solution and come up empty. windows boxes will not > authenticate, pap always returns noop, and the user is rejected. > > am i doing something glaringly wrong, or just going plain crazy? > > regards, paul > > > ------------------------------ > > Message: 6 > Date: Mon, 23 Sep 2013 17:52:53 +0100 > From: Phil Mayers <p.may...@imperial.ac.uk> > To: freeradius-users@lists.freeradius.org > Subject: Re: pap always returns noop for windows dialup authentication > Message-ID: <524071e5.4090...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 23/09/13 17:33, paul trader wrote: > > > am i doing something glaringly wrong, or just going plain crazy? > > It's difficult to say, because the debug you sent has all the useful > bits trimmed out - like the original packet, and the full module > processing chain. > > Send a full debug, and odds are someone will spot the issue. > > Most likely is that the Windows machine is sending a different format of > username e.g. DOMAIN\user, so whatever database you're doing a lookup > for the password or hash - SQL, LDAP, files - isn't matching. But that's > a guess - post the full debug. > > > ------------------------------ > > Message: 7 > Date: Mon, 23 Sep 2013 13:19:04 -0400 (EDT) > From: paul trader <flip...@igolinux.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: pap always returns noop for windows dialup authentication > Message-ID: > <alpine.DEB.2.02.1309231310440.7633@soundgarden.localdomain.local> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: > > PM:It's difficult to say, because the debug you sent has all the useful > PM:bits trimmed out - like the original packet, and the full module > PM:processing chain. > > hi phil - ok, here's the full debug for a successful request: > > rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37, > length=133 > User-Name = "test" > User-Password = "testing" > User-Password = "testing" > NAS-IP-Address = x.x.x.x > NAS-Identifier = "x.x.x.x" > NAS-Port = 2561 > Acct-Session-Id = "167773864" > Service-Type = Login-User > Calling-Station-Id = "xxxxxxxxxx" > Called-Station-Id = "xxxxxxx" > NAS-Port-Type = Async > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "test", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > [files] users: Matched entry test at line 1 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns updated > Found Auth-Type = PAP > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group PAP {...} > [pap] login attempt with password "testing" > [pap] Using clear text password "testing" > [pap] User authenticated successfully > ++[pap] returns ok > # Executing section post-auth from file /etc/raddb/sites-enabled/default > +- entering group post-auth {...} > ++[exec] returns noop > Sending Access-Accept of id 37 to x.x.x.x port 1812 > Finished request 2. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 2 ID 37 with timestamp +676 > > > and here's the full output of a failed request: > > Ready to process requests. > rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35, > length=121 > User-Name = "test" > User-Password = "testing" > NAS-IP-Address = x.x.x.x > NAS-Identifier = "x.x.x.x" > NAS-Port = 2561 > Acct-Session-Id = "167773862" > Service-Type = Framed-User > Framed-Protocol = PPP > Calling-Station-Id = "xxxxxxxxxx" > Called-Station-Id = "xxxxxxx" > NAS-Port-Type = Async > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "test", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > [files] users: Matched entry DEFAULT at line 172 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > ERROR: No authenticate method (Auth-Type) found for the request: Rejecting > the user > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> test > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 35 to 64.214.93.3 port 1812 > Waking up in 4.9 seconds. > Cleaning up request 0 ID 35 with timestamp +361 > > from what i can see, the successful request finds the user's entry in the > user table, but the failed request doesn't (and uses DEFAULT instead). > but the usernames passed in seem to be the same. i don't know, we've used > freeradius for years and this is the 1st time i'm having a problem. > weird. > > regards, paul > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > End of Freeradius-Users Digest, Vol 101, Issue 50 > ************************************************* >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html