Thanks again Louis. You are right. My lack of knowledge about these
applications is my source of struggle. Thanks for helping me through this!
/usr/local/bin/eapol_test -c peap-mschapv2.conf -a 10.1.3.48 -s radiuskey
Failed for me, but I was able to see that it was because my client (the
packetfence server itself, running at 10.1.3.48) was not in the
clients.conf file.
I added it to clients.conf
client packetfence {
ipaddr = 10.1.3.48
secret = key
require_message_authenticator = no
nastype = other
}
And now SUCCESS!
When I try identity="phoff...@ad.davenport.edu" I do see some Realm
identification, and this, in the radiusd debug:
rad_recv: Access-Request packet from host 10.1.3.48 port 56324, id=0,
length=158
User-Name = "phoff...@ad.davenport.edu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0200001e0170686f66667377654061642e646176656e706f72742e656475
Message-Authenticator = 0xaed40d4dd671bc83494c661a4e007b48
server packetfence {
# Executing section authorize from file raddb/sites-enabled/packetfence
+group authorize {
[suffix] Looking up realm "ad.davenport.edu" for User-Name = "
phoff...@ad.davenport.edu"
[suffix] Found realm "ad.davenport.edu"
[suffix] Adding Stripped-User-Name = "phoffswe"
[suffix] Adding Realm = "ad.davenport.edu"
[suffix] Proxying request from user phoffswe to realm ad.davenport.edu
[suffix] Preparing to proxy authentication request to realm "
ad.davenport.edu"
++[suffix] = updated
++[preprocess] = ok
[eap] Request is supposed to be proxied to Realm ad.davenport.edu. Not
doing EAP.
++[eap] = noop
EAP seems to be skipped. Radius config issue, I am thinking....
-
Pete Hoffswell - Network Manager
pete.hoffsw...@davenport.edu
http://www.davenport.edu
On Fri, Jun 20, 2014 at 11:02 AM, Louis Munro <lmu...@inverse.ca> wrote:
> Hi Pete,
> You are sending your request to port 18120. That maps to a virtual server
> that may not be the right one for you.
>
> Try port 1812. Send the request to the IP where PF is running (not
> localhost).
>
> If you have configured raddb/modules/mschap correctly that should work.
> If not, please post the output of radiusd -d raddb -X.
>
>
> What you are trying to achieve should be easy, once you know how to do it
> ;-)
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca :: www.inverse.ca
> +1.514.447.4918 *125 :: +1 (866) 353-6153
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On 2014-06-20, at 10:55 , Pete Hoffswell <pete.hoffsw...@davenport.edu>
> wrote:
>
> Good morning, Leo -
>
> Thank you very much for your note. You are right on the money with this
> one! I installed eappol_test and ran with the following config file:
>
> peap-mschapv2.conf
>
>
> #
> # eapol_test -c peap-mschapv2.conf -s testing123
> #
> network={
> ssid="example"
> key_mgmt=WPA-EAP
> eap=PEAP
> identity="phoffswe"
> password="goodpassword"
> phase2="autheap=MSCHAPV2"
>
> #
> # Uncomment the following to perform server certificate
> validation.
> # ca_cert="/etc/raddb/certs/ca.der"
> }
>
>
>
> Running this command
> /usr/local/bin/eapol_test -c peap-mschapv2.conf -s radiuskey -p 18120
>
>
> Success!
>
> Now, running identity "phoff...@davenport.edu" does not work. I would
> eventually like to have this work, as we hope to deploy EDUROAM one day.
> But this is more of a EDUROAM/FreeRadius thing, not a packetfence thing.
>
>
> I think I'm in good shape, however, to move to the next step in my PF
> config - Addition of Cisco WLC.
>
> Thanks greatly!
>
>
>
>
>
>
> -
> Pete Hoffswell - Network Manager
> pete.hoffsw...@davenport.edu
> http://www.davenport.edu
>
>
>
> On Fri, Jun 20, 2014 at 10:07 AM, Louis Munro <lmu...@inverse.ca> wrote:
>
>> Hi Pete,
>>
>> I believe the issue is a side effect of the testing more than the
>> configuration.
>>
>> To begin with, radtest does not do PEAP, so you will not be able to test
>> PacketFence/AD reliably with it.
>> Secondly, you are sending it to the FreeRADIUS virtual server on
>> localhost:18120.
>> That virtual server is not sending requests to PacketFence.
>>
>> Try adding your IP to the allowed clients in raddb/clients.conf
>> temporarily and test using eapol_test if you really want to have a good
>> idea what will happen when someone tries PEAP.
>>
>> See here for eapol_test:
>> http://deployingradius.com/scripts/eapol_test/
>>
>> Save yourself some time and install openssl-devel and libnl-devel before
>> typing "make eapol_test".
>>
>> Regards,
>> --
>> Louis Munro
>> lmu...@inverse.ca :: www.inverse.ca
>> +1.514.447.4918 *125 :: +1 (866) 353-6153
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On 2014-06-20, at 9:56 , Pete Hoffswell <pete.hoffsw...@davenport.edu>
>> wrote:
>>
>> Good morning, PF users!
>>
>> I've been making good progress with my initial configuration of
>> packetfence. I'm hung up, however, of some subtle freeradius
>> configuration. I've followed the freeradius configuration from the guide,
>> and have ntlm_auth working fine:
>>
>> ntlm_auth --request-nt-key --domain=Ad.DAVENPORT.EDU
>> <http://ad.davenport.edu/> --username=phoffswe --password=goodpassword
>> NT_STATUS_OK: Success (0x0)
>>
>>
>> Note that our active directory domain is ad.davenport.edu
>>
>> Now, when I run radtest with a bad password, I get an Access Accept
>> message:
>>
>> radtest phoffswe badpassword localhost:18120 12 radiuskey
>> Sending Access-Request of id 169 to 127.0.0.1 port 18120
>> User-Name = "phoffswe"
>> User-Password = "badpassword"
>> NAS-IP-Address = 10.1.3.48
>> NAS-Port = 12
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=169,
>> length=20
>>
>>
>>
>> Running radius in debug mode (radiusd -d raddb -X) shows:
>>
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 127.0.0.1 port 43513, id=16,
>> length=78
>> User-Name = "phoffswe"
>> User-Password = "badpassword"
>> NAS-IP-Address = 10.1.3.48
>> NAS-Port = 12
>> Message-Authenticator = 0x0634cec60b51216f7b2f2f6941289f58
>> server inner-tunnel {
>> # Executing section authorize from file raddb/sites-enabled/inner-tunnel
>> +group authorize {
>> ++[chap] = noop
>> ++[mschap] = noop
>> [suffix] No '@' in User-Name = "phoffswe", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> ++update control {
>> ++} # update control = noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] = noop
>> [files] users: Matched entry DEFAULT at line 1
>> ++[files] = ok
>> ++[expiration] = noop
>> ++[logintime] = noop
>> [pap] WARNING: Auth-Type already set. Not setting to PAP
>> ++[pap] = noop
>> +} # group authorize = ok
>> Found Auth-Type = Accept
>> Auth-Type = Accept, accepting the user
>> Login OK: [phoffswe] (from client localhost port 12)
>> } # server inner-tunnel
>> WARNING: Empty post-auth section. Using default return values.
>> # Executing section post-auth from file raddb/sites-enabled/inner-tunnel
>> Sending Access-Accept of id 16 to 127.0.0.1 port 43513
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 16 with timestamp +9
>> Ready to process requests.
>>
>>
>>
>> Running radtest phoff...@ad.davenport.edu badpassword localhost:18120 12
>> radiuskey shows some proxy configuration:
>>
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 50885, id=75,
>> length=95
>> User-Name = "phoff...@ad.davenport.edu"
>> User-Password = "badpassword"
>> NAS-IP-Address = 10.1.3.48
>> NAS-Port = 12
>> Message-Authenticator = 0x41c2f72cb1e00cd85f578dfb407c34de
>> server inner-tunnel {
>> # Executing section authorize from file raddb/sites-enabled/inner-tunnel
>> +group authorize {
>> ++[chap] = noop
>> ++[mschap] = noop
>> [suffix] Looking up realm "ad.davenport.edu" for User-Name = "
>> phoff...@ad.davenport.edu"
>> [suffix] Found realm "ad.davenport.edu"
>> [suffix] Adding Stripped-User-Name = "phoffswe"
>> [suffix] Adding Realm = "ad.davenport.edu"
>> [suffix] Proxying request from user phoffswe to realm ad.davenport.edu
>> [suffix] Preparing to proxy authentication request to realm "
>> ad.davenport.edu"
>> ++[suffix] = updated
>>
>> .... and on to Auth-Type = Accept....
>>
>>
>> I think I have a radius configuration issue, asn it seems like ntlm_auth
>> isn't called right. I'm using the config as the guide suggests
>>
>> use_mppe = yes
>> require_encryption = yes
>> require_strong = yes
>> with_ntdomain_hack = yes
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
>> --challenge=%{mschap:Challenge}:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>>
>>
>> I'm thinking that my problem is with my freeradius configuration. Either
>> the ntml_auth setup, my proxy setup, or something to do with my domain.
>>
>> I really would want users to authenticate with <user>@davenport.edu so I
>> also am going to have to do some sort of trick to change @davenport.edu
>> to @ad.davenport.edu
>>
>> Any advice is greatly appreciated!
>>
>>
>>
>> -
>> Pete Hoffswell - Network Manager
>> pete.hoffsw...@davenport.edu
>> http://www.davenport.edu
>>
>>
>> ------------------------------------------------------------------------------
>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>> Find What Matters Most in Your Big Data with HPCC Systems
>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>>
>> http://p.sf.net/sfu/hpccsystems_______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>> Find What Matters Most in Your Big Data with HPCC Systems
>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>> http://p.sf.net/sfu/hpccsystems
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>
> http://p.sf.net/sfu/hpccsystems_______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
