Hello all,
I have solved some problems. Now the authentications process with PEAP
gives me this output from
radiusd -X -d /usr/local/pf/raddb
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=53,
length=346
User-Name = "Ric"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-19-E8-34-EE-07"
Calling-Station-Id = "E0-3F-49-37-E5-E4"
EAP-Message =
0x02040090198000000086160301004610000042410421732fb20d7ddd4eda26b4950840d85e9b7caa980e10dd21c01a4f904201471ffd97b9f20bcfacbf4cd1e7ac259e5331c230e675760e128638731a6b99a5103f1403010001011603010030427a1dd53eb447351f6663364863341ea92c5d3c7cf2174dabf23f89182559065d3d5b8080ced82078103c254adf48f8
Message-Authenticator = 0xdc6a1d2836912b981c97f10abbe1ffa9
Cisco-AVPair = "audit-session-id=C0A801080000001A00F43BAB"
NAS-Port-Type = Ethernet
NAS-Port = 50007
NAS-Port-Id = "GigabitEthernet0/7"
State = 0x4fa329394da730954bc766b873067cba
NAS-IP-Address = 192.168.1.8
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "Ric", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[preprocess] = ok
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 53 to 192.168.1.8 port 1645
EAP-Message =
0x01050041190014030100010116030100305a486966fdf7fb658fb0b260bce1e4fc5f9d14ceeec367063a9a121cdedf7d594f6c36d4aa2a2affd2158d73292922fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4fa329394ca630954bc766b873067cba
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=54,
length=249
User-Name = "Ric"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-19-E8-34-EE-07"
Calling-Station-Id = "E0-3F-49-37-E5-E4"
EAP-Message =
0x0205002f1980000000251503010020e05c8dac08cdda6a2ca266012566db3ab7f56d670e20baac07a111a1803e0e91
Message-Authenticator = 0xe8e3e58e9d43bbf739d776c70b51de7f
Cisco-AVPair = "audit-session-id=C0A801080000001A00F43BAB"
NAS-Port-Type = Ethernet
NAS-Port = 50007
NAS-Port-Id = "GigabitEthernet0/7"
State = 0x4fa329394ca630954bc766b873067cba
NAS-IP-Address = 192.168.1.8
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "Ric", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[preprocess] = ok
[eap] EAP packet type response id 5 length 47
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 37
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state ?
[peap] FAILED processing PEAP: Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:access denied): [Ric] (from client
192.168.1.8 port 50007 cli E0-3F-49-37-E5-E4)
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> Ric
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 41 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 41
Sending Access-Reject of id 54 to 192.168.1.8 port 1645
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 37 ID 50 with timestamp +3412
Cleaning up request 38 ID 51 with timestamp +3412
I use a Windows 8.1 supplicant.. I guess there is a certificate problem.
I'm trying to do authentication using the "users" flat file in
/usr/local/pf/raddb. I hope this is correct..
Thanks in advance for any suggestions or help..
Kind Regards,
Rosario Ippolito
2015-03-05 19:03 GMT+01:00 Rosario Ippolito <[email protected]>:
> Hello everybody PacketFence users!
> I know that I'm oppressive, and I apologize for that. I quickly summarize
> my problem:
> I have configured FreeRADIUS module of PacketFence for authentication with
> PAP againt the local flat file "users", using port-security, and it works
> fine, using Captive-Portal. Now I want to pass at 802.1X, so I have
> properly configured a cisco switch 3560G following the guide. I have
> configured my Windows 8.1 laptop with the 802.1X authentication, and when I
> connect it to a switch port the request is sent.
>
> This is the output from the radiusd -X -d /usr/local/pf/raddb :
>
> rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=22,
> length=209
> User-Name = "e03f4937e5e4"
> User-Password = "e03f4937e5e4"
> Service-Type = Call-Check
> Framed-MTU = 1500
> Called-Station-Id = "00-19-E8-34-EE-03"
> Calling-Station-Id = "E0-3F-49-37-E5-E4"
> Message-Authenticator = 0xb662ecf7a6016cce82f7fc9279666176
> Cisco-AVPair = "audit-session-id=C0A801080000001500B93C81"
> NAS-Port-Type = Ethernet
> NAS-Port = 50003
> NAS-Port-Id = "GigabitEthernet0/3"
> NAS-IP-Address = 192.168.1.8
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "e03f4937e5e4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++[preprocess] = ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++update request {
> expand: %{Packet-Src-IP-Address} -> 192.168.1.8
> ++} # update request = noop
> ++update control {
> ++} # update control = noop
> rlm_perl: Added pair NAS-Port-Type = Ethernet
> rlm_perl: Added pair Service-Type = Call-Check
> rlm_perl: Added pair Calling-Station-Id = E0-3F-49-37-E5-E4
> rlm_perl: Added pair Called-Station-Id = 00-19-E8-34-EE-03
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.1.8
> rlm_perl: Added pair Message-Authenticator =
> 0xb662ecf7a6016cce82f7fc9279666176
> rlm_perl: Added pair Cisco-AVPair =
> audit-session-id=C0A801080000001500B93C81
> rlm_perl: Added pair User-Name = e03f4937e5e4
> rlm_perl: Added pair User-Password = e03f4937e5e4
> rlm_perl: Added pair NAS-IP-Address = 192.168.1.8
> rlm_perl: Added pair NAS-Port = 50003
> rlm_perl: Added pair NAS-Port-Id = GigabitEthernet0/3
> rlm_perl: Added pair Framed-MTU = 1500
> rlm_perl: Added pair PacketFence-RPC-Pass =
> rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
> rlm_perl: Added pair PacketFence-RPC-Proto = http
> rlm_perl: Added pair PacketFence-RPC-User =
> rlm_perl: Added pair PacketFence-RPC-Port = 7070
> ++[packetfence] = noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] = noop
> +} # group authorize = ok
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Login incorrect: [e03f4937e5e4] (from client 192.168.1.8 port 50003 cli
> E0-3F-49-37-E5-E4)
> } # server packetfence
> Using Post-Auth-Type REJECT
> # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} -> e03f4937e5e4
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 22 to 192.168.1.8 port 1645
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 22 with timestamp +474
> Ready to process requests.
>
>
> And this is my /usr/local/pf/raddb/sites-enabled/packetfence:
>
> server packetfence {
>
> authorize {
> suffix
> preprocess
> eap {
> ok = return
> }
> files
> expiration
> logintime
>
> update request {
> FreeRADIUS-Client-IP-Address := "%{Packet-Src-IP-Address}"
> }
> update control {
> PacketFence-RPC-Server = ${rpc_host}
> PacketFence-RPC-Port = ${rpc_port}
> PacketFence-RPC-User = ${rpc_user}
> PacketFence-RPC-Pass = ${rpc_pass}
> PacketFence-RPC-Proto = ${rpc_proto}
> }
> packetfence
> pap
> }
>
> authenticate {
>
> Auth-Type PAP {
> pap
> }
>
>
> Auth-Type MS-CHAP {
> mschap
> }
> eap
> }
>
> preacct {
>
> preprocess
> acct_unique
> suffix
> files
> }
>
> accounting {
>
> sql
> attr_filter.accounting_response
> update control {
> PacketFence-RPC-Server = ${rpc_host}
> PacketFence-RPC-Port = ${rpc_port}
> PacketFence-RPC-User = ${rpc_user}
> PacketFence-RPC-Pass = ${rpc_pass}
> PacketFence-RPC-Proto = ${rpc_proto}
> }
> packetfence
> }
>
> session {
>
> radutmp
>
> }
>
> post-auth {
> exec
> # skip packetfence if we have already treated it in the inner-tunnel
> if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
> update control {
> PacketFence-RPC-Server = ${rpc_host}
> PacketFence-RPC-Port = ${rpc_port}
> PacketFence-RPC-User = ${rpc_user}
> PacketFence-RPC-Pass = ${rpc_pass}
> PacketFence-RPC-Proto = ${rpc_proto}
> }
> packetfence
> }
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> }
>
> pre-proxy {
> }
>
> post-proxy {
> eap
> }
>
> }
>
>
> I sure miss some configuration, where I wrong?
>
> Thanks in advanced for any help,
> Kind Regards,
> Rosario Ippolito
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
