Hi Fabrice
I only now got better after catching cold.
Tried to run your commands.
Nothing found in /usr/local/pf/raddb after running grep 172.19.254.2 * -r
I assume you wanted to confirm that nothing is defined in clients.conf file
As for the debugging mode it only worked to me with the command to see the
whole flurry of outputs
radiusd -d /usr/local/pf/raddb -n auth -fxx -l stdout
The only reference to my WAP IP was in these lines of output when radiusd
was processing clients in the database
rlm_sql (sql): Adding client 172.19.254.2 (172.19.254.2) to global clients
list
rlm_sql (172.19.254.2): Client "172.19.254.2" (sql) added
Now back again to the authentication attempt. The user test was created in
PF GUI and I tried to authenticate from iPhone and failed again. The only
meaningful part to me that could shed the light is what is going on was this
from the debugging output:
(7) mschap: Creating challenge hash with username: test
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/local/pf/bin/ntlm_auth_wrapper --
--request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(7) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(7) mschap: --> --username=test
(7) mschap: Creating challenge hash with username: test
(7) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) mschap: --> --challenge=761121d890600862
(7) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) mschap: -->
--nt-response=453c8b273d947054e2d880cf0dfd64838a1cf1cead6d7eef
Waking up in 0.4 seconds.
(7) mschap: ERROR: Program returned code (1) and output 'Reading winbind
reply failed! (0xc0000001)'
(7) mschap: External script failed
(7) mschap: ERROR: External script says: Reading winbind reply failed!
(0xc0000001)
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # else = reject
(7) } # else = reject
(7) } # policy packetfence-mschap-authenticate = reject
(7) } # else = reject
(7) } # Auth-Type MS-CHAP = reject
What the heck ? Why MSCHAP ? And strange that I dont see the shared secret
is incorrect error
Eugene
From: Fabrice Durand [mailto:[email protected]]
Sent: Friday, December 29, 2017 6:00 AM
To: E.P.; [email protected]
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS
For me it looks that 172.19.254.2 is define twice.
Can you do in /usr/local/pf/raddb:
grep 172.19.254.2 * -r
Also can you try to run radiusd in debug mode and see if you can see
172.19.254.2 (radiusd -d /usr/local/pf/raddb -n auth -X)
Regards
Fabrice
Le 2017-12-29 à 01:26, E.P. a écrit :
Nah
No luck at all, Fabrice. Im becoming desperate ;)
I thought it has to do with Unifi controller (reading it here in other
threads that it is far from being error-free) but I pointed it to FreeRADIUS
running on DaloRADIUS host and the regular user authentication worked nice.
I just dont like DaloRADIUS due to its limitations and support and hold my
aspiration towards PF.
Well, here we go again, I reconfigured the entry in switches file and it
looks very simplistic, 172.19.254.2 is the IP address of Unifi AP.
[root@PacketFence-ZEN conf]# cat ./switches.conf
[172.19.254.2]
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Test-WAP
VoIPLLDPDetect=N
radiusSecret=1234567890
VlanMap=N
Someone who uses Unifi may be jump in to validate my settings please.
In the settings for a specific wireless network I select WPA Enterprise
and select RADIUS profile that I configured separately pointing to PF IP
address. The RADIUS profile is configured as usual, i.e.
IP address, ports which are 1812/1813 and shared secret, nothing fancy about
it.
Both radius log files show the same consistent error:
Dec 29 06:10:24 PacketFence-ZEN acct[13247]: Dropping packet without
response because of error: Received Accounting-Request packet from client
172.19.254.2 with invalid Request Authenticator! (Shared secret is
incorrect.)
Dec 29 06:20:29 PacketFence-ZEN auth[13273]: Dropping packet without
response because of error: Received packet from 172.19.254.2 with invalid
Message-Authenticator! (Shared secret is incorrect.)
I dont think I have to start radius in debugging mode to have more output,
do I ?
Eugene
From: Durand fabrice [mailto:[email protected]]
Sent: Thursday, December 28, 2017 5:17 PM
To: E.P.; [email protected]
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS
Can you try pfcmd configreload hard and restart radius. (pfcmd service
radiusd restart)
Le 2017-12-28 à 19:20, E.P. a écrit :
I should have made my previous email shorter because my main question fell
into cracks.
Why do I have an error with the shared secret? Quoting it here again:
When I test this with a real network device, Unifi WAP for example, I dont
go anywhere.
I see that NAD is added, heres an entry from radius.log
Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32
with shared secret "123456"
When I try to authenticate from an endpoint to a specific SSID I see this
error in radius-acct.log
Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without
response because of error: Received Accounting-Request packet from client
172.19.254.2 with invalid Request Authenticator! (Shared secret is
incorrect.)
I added this WAP under Policies and access control in Switches section
using the shared secret as shown above and following the admin guide. What
am I doing wrong ?
Heres how the switches.conf file looks like after I added this WAP:
[root@PacketFence-ZEN conf]# cat ./switches.conf
[172.19.254.2]
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Test-WAP
VoIPLLDPDetect=N
radiusSecret=123456
VlanMap=N
Eugene
From: Durand fabrice via PacketFence-users
[mailto:[email protected]]
Sent: Thursday, December 28, 2017 3:30 PM
To: [email protected]
Cc: Durand fabrice
Subject: Re: [PacketFence-users] Need an advice and maybe assistance with
FreeRADIUS
Hello Eugene,
in fact for 802.1x you need to use eapol_test instead of radtest.
(http://deployingradius.com/scripts/eapol_test/)
Also use the port 1812 instead of 18120.
Regards
Fabrice
Le 2017-12-28 à 03:07, E.P. via PacketFence-users a écrit :
Guys,
I still hope someone with more experience with PF give me a hand with this
trivial issue (if it is an issue)
Im on my way to test PF with baby steps and just created a user under Users
section in PF GUI.
Then I test it using a simple command like this and it seems to work using
the local identity store.
[root@PacketFence-ZEN bin]# ./pftest authentication test1 123456
Testing authentication for "test1"
Authenticating against local
Authentication SUCCEEDED against local (Authentication successful.)
Matched against local for 'authentication' rules
set_access_level : User Manager
set_unreg_date : 0000-00-00 00:00:00
Matched against local for 'administration' rules
set_access_level : User Manager
set_unreg_date : 0000-00-00 00:00:00
Then Im following the admin guide and want to test this user authentication
using radtest command as in
[root@PacketFence-ZEN bin]# radtest test1 123456 localhost:18120 12
testing123
Sent Access-Request Id 136 from 0.0.0.0:45055 to 127.0.0.1:18120 length 75
User-Name = "test1"
User-Password = "123456"
NAS-IP-Address = 172.16.0.222
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "123456"
Received Access-Reject Id 136 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
Why am I rejected here ? Am I not supposed to use this test1 user to test
RADIUS with the proxy module ?
And finally, when I test this with a real network device, Unifi WAP for
example, I dont go anywhere.
I see that NAD is added, heres an entry from radius.log
Dec 28 07:42:46 PacketFence-ZEN auth[16806]: Adding client 172.19.254.2/32
with shared secret "123456"
When I try to authenticate for an endpoint to a specific SSID I see this
error in radius-acct.log
Dec 28 07:38:58 PacketFence-ZEN acct[16780]: Dropping packet without
response because of error: Received Accounting-Request packet from client
172.19.254.2 with invalid Request Authenticator! (Shared secret is
incorrect.)
I added this WAP under Policies and access control in Switches section
using the shared secret as shown above and following the admin guide. What
am I doing wrong ?
Heres how the switches.conf file looks like after I added this WAP:
[root@PacketFence-ZEN conf]# cat ./switches.conf
[172.19.254.2]
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Test-WAP
VoIPLLDPDetect=N
radiusSecret=123456
VlanMap=N
Just to confirm, Im not doing any inline mode, nor guest or web
authentication, just pure WPA-Enterprise with RADIUS internal users identity
store.
Eugene
----------------------------------------------------------------------------
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
