Good morning, Leo -
Thank you very much for your note. You are right on the money with this
one! I installed eappol_test and ran with the following config file:
peap-mschapv2.conf
#
# eapol_test -c peap-mschapv2.conf -s testing123
#
network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="phoffswe"
password="goodpassword"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate validation.
# ca_cert="/etc/raddb/certs/ca.der"
}
Running this command
/usr/local/bin/eapol_test -c peap-mschapv2.conf -s radiuskey -p 18120
Success!
Now, running identity "phoff...@davenport.edu" does not work. I would
eventually like to have this work, as we hope to deploy EDUROAM one day.
But this is more of a EDUROAM/FreeRadius thing, not a packetfence thing.
I think I'm in good shape, however, to move to the next step in my PF
config - Addition of Cisco WLC.
Thanks greatly!
-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu
On Fri, Jun 20, 2014 at 10:07 AM, Louis Munro <lmu...@inverse.ca> wrote:
> Hi Pete,
>
> I believe the issue is a side effect of the testing more than the
> configuration.
>
> To begin with, radtest does not do PEAP, so you will not be able to test
> PacketFence/AD reliably with it.
> Secondly, you are sending it to the FreeRADIUS virtual server on
> localhost:18120.
> That virtual server is not sending requests to PacketFence.
>
> Try adding your IP to the allowed clients in raddb/clients.conf
> temporarily and test using eapol_test if you really want to have a good
> idea what will happen when someone tries PEAP.
>
> See here for eapol_test:
> http://deployingradius.com/scripts/eapol_test/
>
> Save yourself some time and install openssl-devel and libnl-devel before
> typing "make eapol_test".
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca :: www.inverse.ca
> +1.514.447.4918 *125 :: +1 (866) 353-6153
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On 2014-06-20, at 9:56 , Pete Hoffswell <pete.hoffsw...@davenport.edu>
> wrote:
>
> Good morning, PF users!
>
> I've been making good progress with my initial configuration of
> packetfence. I'm hung up, however, of some subtle freeradius
> configuration. I've followed the freeradius configuration from the guide,
> and have ntlm_auth working fine:
>
> ntlm_auth --request-nt-key --domain=Ad.DAVENPORT.EDU
> <http://ad.davenport.edu/> --username=phoffswe --password=goodpassword
> NT_STATUS_OK: Success (0x0)
>
>
> Note that our active directory domain is ad.davenport.edu
>
> Now, when I run radtest with a bad password, I get an Access Accept
> message:
>
> radtest phoffswe badpassword localhost:18120 12 radiuskey
> Sending Access-Request of id 169 to 127.0.0.1 port 18120
> User-Name = "phoffswe"
> User-Password = "badpassword"
> NAS-IP-Address = 10.1.3.48
> NAS-Port = 12
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=169,
> length=20
>
>
>
> Running radius in debug mode (radiusd -d raddb -X) shows:
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 43513, id=16,
> length=78
> User-Name = "phoffswe"
> User-Password = "badpassword"
> NAS-IP-Address = 10.1.3.48
> NAS-Port = 12
> Message-Authenticator = 0x0634cec60b51216f7b2f2f6941289f58
> server inner-tunnel {
> # Executing section authorize from file raddb/sites-enabled/inner-tunnel
> +group authorize {
> ++[chap] = noop
> ++[mschap] = noop
> [suffix] No '@' in User-Name = "phoffswe", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++update control {
> ++} # update control = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> [files] users: Matched entry DEFAULT at line 1
> ++[files] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] = noop
> +} # group authorize = ok
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> Login OK: [phoffswe] (from client localhost port 12)
> } # server inner-tunnel
> WARNING: Empty post-auth section. Using default return values.
> # Executing section post-auth from file raddb/sites-enabled/inner-tunnel
> Sending Access-Accept of id 16 to 127.0.0.1 port 43513
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 16 with timestamp +9
> Ready to process requests.
>
>
>
> Running radtest phoff...@ad.davenport.edu badpassword localhost:18120 12
> radiuskey shows some proxy configuration:
>
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 50885, id=75,
> length=95
> User-Name = "phoff...@ad.davenport.edu"
> User-Password = "badpassword"
> NAS-IP-Address = 10.1.3.48
> NAS-Port = 12
> Message-Authenticator = 0x41c2f72cb1e00cd85f578dfb407c34de
> server inner-tunnel {
> # Executing section authorize from file raddb/sites-enabled/inner-tunnel
> +group authorize {
> ++[chap] = noop
> ++[mschap] = noop
> [suffix] Looking up realm "ad.davenport.edu" for User-Name = "
> phoff...@ad.davenport.edu"
> [suffix] Found realm "ad.davenport.edu"
> [suffix] Adding Stripped-User-Name = "phoffswe"
> [suffix] Adding Realm = "ad.davenport.edu"
> [suffix] Proxying request from user phoffswe to realm ad.davenport.edu
> [suffix] Preparing to proxy authentication request to realm "
> ad.davenport.edu"
> ++[suffix] = updated
>
> .... and on to Auth-Type = Accept....
>
>
> I think I have a radius configuration issue, asn it seems like ntlm_auth
> isn't called right. I'm using the config as the guide suggests
>
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> --challenge=%{mschap:Challenge}:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
>
>
> I'm thinking that my problem is with my freeradius configuration. Either
> the ntml_auth setup, my proxy setup, or something to do with my domain.
>
> I really would want users to authenticate with <user>@davenport.edu so I
> also am going to have to do some sort of trick to change @davenport.edu
> to @ad.davenport.edu
>
> Any advice is greatly appreciated!
>
>
>
> -
> Pete Hoffswell - Network Manager
> pete.hoffsw...@davenport.edu
> http://www.davenport.edu
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>
> http://p.sf.net/sfu/hpccsystems_______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
