postproxy breaks eap authentication
Hi, I have 2 freeradius server: 1 as proxy server, 1 as authentication server. Everything is working fine (Auth. for WPA2, MSCHAPv2 ) until I implement the postproxy function: Then the authentication process did not finished. Putting the vlanid etc into radreply on the authentication radius, everything is working also. Is there something wrong in my config? Version: freeradius/lucid uptodate 2.1.8+dfsg-1ubuntu1 /etc/freeradius/sites-enabled/default: post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 Regards hans -- Hans Bornemann IT Medien Centrum - TU Dortmund Tel. 0049 231 7552132 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postproxy breaks eap authentication
On 17/11/10 12:31, hans.bornem...@tu-dortmund.de wrote: Hi, I have 2 freeradius server: 1 as proxy server, 1 as authentication server. Everything is working fine (Auth. for WPA2, MSCHAPv2 ) until I implement the postproxy function: Post the debugging output, as advised frequently on this list: radiusd -X | tee log post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy You're probably filtering the EAP-Message and other required attributes out /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 This filter is insufficient. Please study the examples - you need at least: Reply-Message =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY, State =* ANY ...to be sure of EAP working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Having two MS-MPPE key pairs...
Hello all, I am using EAP-TTLS/EAP-MSCHAPv2 to authenticate clients with a FR 2.1.10 backend AAA server. Requests go over an Access Point (playing the role of the NAS), then get forwarded to a Proxy AAA FR 2.1.10 server and finally get routed to my backend server. My client is using wpa_supplicant with EAP=TTLS and Phase2=autheap=mschapv2 options in the configuration file. The problem I am having is that when the FR sends the final Accept-Accept to the client, I end up having two MS-MPPE-Send-Key and MS-MPPE-Recv-Key keys of different length, one added by the mschap module and one added by the eap module, as seen here : Sending Access-Accept of id 52 to 2001:db95::100 port 1814 Reply-Message = Hello, bob-mr1 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x8566119a6066e8eb7c1663dea8d1629b MS-MPPE-Recv-Key = 0xc1f99bac753248c48db73fd5585bf810 Message-Authenticator = 0x User-Name = bob-mr1 MS-MPPE-Recv-Key = 0x2eb89da2ac20179cb2b99391f94ca2bddf1701c67c524badad98ce56f09873dc MS-MPPE-Send-Key = 0x0cf013411cfcea14ae9dee56baaf5467e55caed80fa83ffbbdf0f5998ce7fe62 EAP-Message = 0x03cf0004 Proxy-State = 0x3130 (if someone wants a full debug output of the server it is posted here : http://pastebin.com/aXFMXXbT ) Having two MS-MPPE key pairs is wrong and does not allow the end-client to properly finish its key exchange with the Access Point, but restarts the EAP-TTLS communication. I figured out that I could remove one pair of keys, by either doing this at the end of my post-auth section of my inner-tunnel : update reply { MS-MPPE-Send-Key !* 0x00 MS-MPPE-Recv-Key !* 0x00 } ..or if I set use_mppe=no to the mschap module although this means that I will be loosing the MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types attributes as well. Which one do you think is the best approach and has less impact for other authentication methods (e.g. straightforward mschapv2 or others)? By the way, I also tried using PEAP and mschapv2 for phase 2 but it didn't have the above problem (it had just one pair of MS-MPPE keys). Isn't that weird since mschapv2 in PEAP is also eap-mschapv2 so it would expect to get exactly the same phase 2 with EAP-TTLS.. What am I missing here? Thanks a lot in advance, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: postproxy breaks eap authentication
hans.bornem...@tu-dortmund.de wrote: the debug output: the differences begin at line 82. shrug You can try to figure out exactly what is misconfigured, or you can go back to using the default configuration. The default configuration works for proxying EAP packets. If your configuration doesn't work, it's because you changed something and broke it. If you don't know what you changed to break the server, your management processes are insufficient. Track which changes you made, why you made them, and test the configuration before you make any permanent change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: postproxy breaks eap authentication
The default configuration works for proxying EAP packets. If your configuration doesn't work, it's because you changed something and broke it. The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken: /etc/freeradius/sites-enabled/default: post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 If you don't know what you changed to break the server, your management processes are insufficient. Track which changes you made, why you made them, and test the configuration before you make any permanent change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: postproxy breaks eap authentication
On 17/11/10 14:27, hans.bornem...@tu-dortmund.de wrote: The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken: /etc/freeradius/sites-enabled/default: post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 Yes, BECAUSE YOU HAVE BROKEN EAP. Did you read my email? EAP requires the EAP-Message, Message-Authenticator and other attributes. You have configured the attribute filter to remove them. So EAP is breaking. Fix your broken attribute filter. Look at the /etc/raddb/attrs file that comes with FreeRadius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Differences between FreeRadius and GNU Radius
Hi, I'm new to RADIUS and I have to configure a rather complex system. Due to the lack of (well made) documentation on the wiki I googled around and I've found a good manual for GNU Radius (the old radiusd). So my question is: how much can I rely on that documentation while writing configuration files for FreeRADIUS? Does exist some piece of documentation which lists the differences between the two systems? I'm especially interested in the 'huntsgroup' file and in the authentication protocols Thank you for interesting, Denis -- \ __ __ _* _\ \__\ \ \ _\ \/ \_\ \__ \ \ \__ \\ - Registered Linux User # 372295 -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/CM d--- s:+: a-- C+++ UL+++S E--- W+(-) N o+ w--- O? M-- PS+ PE Y+ PGP t+(++) 5? X- R* tv-- b+ DI+ D G+ e h! r++ y* --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differences between FreeRadius and GNU Radius
den2k wrote: I'm new to RADIUS and I have to configure a rather complex system. Due to the lack of (well made) documentation on the wiki The server *does* include extensive documentation. See the doc directory, and the comments in the configuration files. I googled around and I've found a good manual for GNU Radius (the old radiusd). So my question is: how much can I rely on that documentation while writing configuration files for FreeRADIUS? You can't. They are *very* different pieces of software. If you think that the GNU RADIUS documentation is better, it's only because it's nicely formatted, and the server does a *lot* less than FreeRADIUS. Does exist some piece of documentation which lists the differences between the two systems? I'm especially interested in the 'huntsgroup' file Do you have *specific* questions that are not answered by the comments in the huntgroups file? and in the authentication protocols FreeRADIUS supports all common authentication protocols. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure output summary
Stefan Winter wrote: when running configure, lots of somewhat important messages scroll by, like silently disabling something you need :-) Well... yes. An untrained eye may miss these easily, leading to confusion afterwards (I'm currently running a lecture on RADIUS, and pretty much all of my students took their time figuring out that they need openssl-devel for PEAP to work etc.). If it doesn't do SSL, the server prints out large warnings when you first start it in debugging mode. I think it would generally make sense to put a summary output of configure at the end of its run, so that one can easily see which modules will be disabled. See the MODULES entry in the top-level Make.inc file. That contains the list of modules which the server tries to build. The OPENSSL_LIBS entry in the same file also shows whether or not OpenSSL is enable. If it's empty, there's no OpenSSL. In an acute case of bash script fiddling, I created the attached proof of concept test.sh script, which recursively goes through all config.log files and a) greps all lines with WARNING b) greps all lines with silently not building grep -R is a Linux-ism. :( I still like portable code. and puts these out in massaged human-readable form. Would something like this have any chances of getting included into the tarball? It could run as the very last thing in configure... Much simpler, and much less work: - print out MODULES line from Make.inc - look for OPENSSL_LIBS. If it's not there, warn that PEAP, etc. will be disabled. The only real issue is that the list of modules to build is *large*. So people might still ignore it when it's being printed out. But some simple processing / pretty-printing might make it easier to read. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Acct-Delay-Time in MySQL
Stefan Winter wrote: the default queries for mysql log Acct-Delay-Time into the columns acctstartdelay and acctstopdelay, respectively. They leave the timestamps for acctstarttime and acctstoptime at %S. For a non-zero delay, this means that a database reader needs to do math to get the start and stop times. Yes. There have been discussions about fixing that, and other accounting issues. It is rather unintuitive that a database user needs to calculate the *actual* event times manually by substracting the values. This is something that MySQL can easily do on its own at INSERT or UPDATE. Yes. Is there a specific reason why the two are kept separate? If not, I'll merrily volunteer to update the default query set to do so; I'll do this for my deployment's custom queries anyway. This would also make the two columns for delay time obsolete. Any thoughts on this? I'd re-visit the entire accounting table queries. Create a *new* table, so that people don't have surprises when they upgrade. Ideally, it should be robust in the face of duplicate packets, and packets forwarded via 2 different paths (think radrelay + delays) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs? Unfortunately, I would need to get a release from my company as the code belongs to them. I cannot post it at this time. You may want to look at the linelog module (depending upon what version of FR you are running). If you're not familiar with perl, that might be easier for you to implement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA support
Hi, my question is what IE/AVP in RADIUS Access-Request identifies the Request as an EAP-SIM request ? /TM -- GRATIS! Movie-FLAT mit über 300 Videos. Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec and 'No such file or directory' error
Hi, I'm using FreeRADIUS 2.1.3. At the end of the authorize section I need to call a Perl script to do some LDAP checking and either set the Auth-Type to Reject (to forcibly reject a user) or leave it set to whatever value FreeRADIUS has previously set (always LDAP). I used to do this with rlm_perl but it looks like backslashes in the plaintext User-Password attribute causes things to break, and I need a quick fix while I look at what to do about the rlm_perl problem. I have the exec module enabled in the instantiate section of radiusd.conf and I have the following at the end of the authorize section in the sites-enabled/default file: if (control:Auth-Type == LDAP) { update control { Auth-Type = `%{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}}` } } When I run the basic test with debug (-X) turned on I see the following trace: [snip] radiusd: Instantiating modules Wed Nov 17 17:36:20 2010 : Debug: instantiate { Wed Nov 17 17:36:20 2010 : Debug: (Loaded rlm_exec, checking if it's valid) Wed Nov 17 17:36:20 2010 : Debug: Module: Linked to module rlm_exec Wed Nov 17 17:36:20 2010 : Debug: Module: Instantiating exec Wed Nov 17 17:36:20 2010 : Debug: exec { Wed Nov 17 17:36:20 2010 : Debug: wait = yes Wed Nov 17 17:36:20 2010 : Debug: input_pairs = request Wed Nov 17 17:36:20 2010 : Debug: shell_escape = no Wed Nov 17 17:36:20 2010 : Debug: } [snip] Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP) Wed Nov 17 17:49:21 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) - TRUE Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP) - TRUE Wed Nov 17 17:49:21 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...} Wed Nov 17 17:49:21 2010 : Info: Executing /etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type} Wed Nov 17 17:49:21 2010 : Info:expand: %{control:Ldap-UserDn} - CN=bill,OU=Facility Users,DC=foo,DC=ac,DC=uk Wed Nov 17 17:49:21 2010 : Info:expand: %{control:Auth-Type} - LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 0 Wed Nov 17 17:49:21 2010 : Info: result 0 Wed Nov 17 17:49:21 2010 : Info:expand: %{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}} - LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 1 Wed Nov 17 17:49:21 2010 : Info: +++[control] returns invalid Wed Nov 17 17:49:21 2010 : Info: ++- if (control:Auth-Type == LDAP) returns invalid Wed Nov 17 17:49:21 2010 : Auth: Invalid user: [bill] (from client localNas port 52340 cli AB-CD-EF-00-00-00) In this case the call to the Perl script (facilityUsers.pl) returns LDAP, but it looks like rlm_exec then tries to execute this result as a command, which fails and then the whole Access-Request message is rejected. I'm clearly doing something wrong, but I can't see what. Can anyone offer any suggestions? Thanks in advance, Mark. -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Execute PRISM into HOSTAPD?
Hello, I am working with ubuntu 9.10, I installed freeradius server 2.1.10, Radius server is ok, but I am trying to implement hostapd in order to have a management of several access points. Thus, I installed the hostapd program, but I have a question concerning with other software related to hostapd. I downloaded PRISM by using the update manager utility provided by Ubuntu. How can I execute PRISM by using a terminal? Which are the commands to execute PRISM? Do you have a quick install document to install PRISM? Thanks in advance. Octavio Ramírez Rojas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Settign up postauth to record radius-client name and other information
William wrote: What I want to store int he radpostauth table is: ... (I want to add these) Calling_Station, Called_Station, See the debug mode for these attribute names. They're in the packet. Calling-Station-Id and Called-Station-Id. NAS_Short_name from clients.conf That's a little more magical: %{client:shortname} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and 'No such file or directory' error
mark.le...@stfc.ac.uk wrote: I have the exec module enabled in the instantiate section of radiusd.conf and I have the following at the end of the authorize section in the sites-enabled/default file: if (control:Auth-Type == LDAP) { update control { Auth-Type = `%{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}}` Please read man unlang. What you have configured here is: 1) run the exec module to get some output via %{exec:...} 2) run the resulting data as a program via `...` That's likely not what you want. Use double quotes instead of back-quotes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt Passwords in SQL
On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote: Greetings, First, Thanks Alan DeKok. That was exactly what I needed for NAS_Showt_Name. Second, I just discovered a new issue. Not sure if this is a radius or a MySQL issue. When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password. Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match. Wm Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure output summary
Hi, when running configure, lots of somewhat important messages scroll by, like silently disabling something you need :-) ./configure --with-whatever-options | grep WARN ;-) there are other packages that print out stuff at the end about what features are not enabled etc - but , being on those mailing lists too, noone reads that outputeven if you put a whacking great big dragon in it ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: postproxy breaks eap authentication
Hi, The default configuration works for proxying EAP packets. If your configuration doesn't work, it's because you changed something and broke it. The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken: /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 THAT file isnt the default config. you have pretty much removed all of the attributes that must be passed through for EAP to work. basically, what you have done is said, 'okay, you've authenticated, but before I send the packet back, i will run it through a filter. your filter doesnt list any of the required attributes and therefore is breaking things. the email from Phil correctly stated all the attributes needed as a minimumthese are in the default attrs file - I know, because I ensured all the right ones were there for EAP proxy to work (back in 1.0.x days) - I deal with several queries each month from sites where they have just enabled pre-proxy or post-proxy filtering for security - without realising what they are doing. I wouldnt put those values into attrs...i would use a different way alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius on ubuntu
Hello I am lost in Freeradius on Ubuntu I want to use peap authentication in ubuntu platform, but it seems that the rlm_eap_tls.so has license problem and not built in the ubuntu freeradius, then I try to build the source code and find that in hardy 8.04, it need the debhelper version =6.04. Then i donwload the debhelpler 8.00 and try to make it a deb package by using: m...@radius:~/debhelper$ dpkg-buildpackage -rfakeroot dpkg-buildpackage: set CPPFLAGS to default value: dpkg-buildpackage: set CFLAGS to default value: -g -O2 dpkg-buildpackage: set CXXFLAGS to default value: -g -O2 dpkg-buildpackage: set FFLAGS to default value: -g -O2 dpkg-buildpackage: set LDFLAGS to default value: -Wl,-Bsymbolic-functions dpkg-buildpackage: source package debhelper dpkg-buildpackage: source version 8.0.0 dpkg-buildpackage: source changed by Joey Hess jo...@debian.org dpkg-buildpackage: host architecture i386 fakeroot debian/rules clean ./run dh clean Undefined subroutine Getopt::Long::GetOptionsFromArray called at /home/matt/debhelper/Debian/Debhelper/Dh_Getopt.pm line 156. make: *** [clean] Error 255 dpkg-buildpackage: failure: fakeroot debian/rules clean gave error exit status 2 How can I have rlm_eap_tls.so on Ubuntu platform? thanks! -- Best Regards Matthew (方嘉)- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius on ubuntu
Hi, Hello I am lost in Freeradius on Ubuntu I want to use peap authentication in ubuntu platform, but it seems that the rlm_eap_tls.so has license problem and not built in the ubuntu freeradius, then I try to build the source code and find that in hardy 8.04, it need the debhelper version =6.04. http://wiki.freeradius.org/Build#Building_Ubuntu_packages alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: 802.1x with freeRadius and mySql database
Hi Everyone I have set up a freeRadius in Ubuntu server 10.0.4. I also set up a Cisco switch as a NAS and enable 802.1x in the switch port. I used the configuration first (clients.conf, users). The 802.1x authentication just works fine. Then I start to use mySql database, instead of clients.conf and users. I followed the instructions from this link http://wiki.freeradius.org/SQL_HOWTO. I use the radtest command to test the username/password. It works fine. Then I use the Cisco switch to test the username/password and NAS, it also works fine. But the 802.1x authentication does not work. Here is the output from freeradius -X Ready to process requests. rad_recv: Access-Request packet from host 10.5.84.14 port 1645, id=213, length=265 User-Name = anonymous Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1A-6C-79-7F-89 Calling-Station-Id = 00-18-8B-B2-74-CE EAP-Message = 0x0207006b190017030100603436ac7bdf2130158ce653dea69c9c5c155d4a677f8bf6a3330838e2ca749c29c00d7fef558443728826479cb9dbd75b4e3fc4e62b27ecc64a942b06784ae85df1499325a9c927f9e0de86a9989d7349874019e3a286ebb4ab95347d704aaf79 Message-Authenticator = 0x8a020beb0674cb778f3feb2400792a88 NAS-Port-Type = Ethernet NAS-Port = 50107 NAS-Port-Id = FastEthernet1/0/7 State = 0xc7b0e155c2nt (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0A05540E005E17970995b7f81cdb855c0280b00b4a NAS-IP-Address = 10.5.84.14 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = anonymous, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94ed2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038 server { PEAP: Setting User-Name to 83008 Sending tunneled r 020358: Nov 17 11:41:28.199 PST: %AUTHMGR-5-FAIL: Authorization failed for client (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0equest EAP-Message = 0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94ed2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 83008 State = 0xe741fb76e746e148ba5c58c22edbac30 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = 83008, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- enA05540E005E17970995tering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for 83008 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. 83008 is my user id. Why it tries to use MSCHAP module and use NT-Password ? Here is the fradius database information in mySql. mysql show tables; +---+ | Tables_in_fradius | +---+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +---+ 8 rows in set (0.00 sec) mysql select * from nas; +++--+-+---++---+---+ | id | nasname| shortname| type| ports | secret | community | description | +++--+-+---++---+---+ | 2 | 10.5.84.14 | lab-3750b | cisco | NULL | spl00t | NULL | RADIUS Client | +++--+-+---++---+---+ 1 row in set (0.00 sec) mysql select * from radcheck;
[Segmentation Fault while proxing Request to home server]
Hello, We're having the following authentication scenario for Wimax User Authentication : ASN -- EAP/TTLS --- 2 freeradius used as proxy -- 2 freeradius home server. AAA is fine when both home servers are up,but when one of them or both of them are dead, we're having the following logs on the proxy : rad_recv: Access-Request packet from host a.b.c.D port 10008, id=117, length=406 Sending duplicate proxied request to home server a.b.c.d port 1812 - ID: 36 Sending Access-Request of id 36 to a.b.c.d port 1812 User-Name = x...@domain.com MS-CHAP-Challenge = 0xdcd70de41d9783aa76aa573d3d07f84d MS-CHAP2-Response = 0x4700db77a532a5ec9b28c3805d18cc35ed17d00f9d99d46d688436477daf0cdd734b813f11e4bd115e16 NAS-IP-Address = x.y.z.wCalling-Station-Id = 002104bec153 NAS-Identifier = WASN Event-Timestamp = Nov 18 2010 01:43:06 CET WiMAX-Release = 1.1 WiMAX-Capability = 0x0105312e31020302030301040301 WiMAX-Accounting-Capabilities = Flow-Based WiMAX-Hotlining-Capabilities = Hotline-Profile-Id WiMAX-Idle-Mode-Notification-Cap = Supported WiMAX-Attr-1281 = 0x01 WiMAX-BS-Id = 0x303030303261323930633030 WiMAX-GMT-Timezone-offset = 3600 NAS-Port-Type = Wireless-802.16 WiMAX-Available-In-Client = 99 WiMAX-PPAC = 0x01060063 Service-Type = Framed-User Message-Authenticator := 0x Proxy-State = 0x313137 Waking up in 21.0 seconds. WARNING: Internal sanity check failed in event handler for request 6: Discarding the request! Segmentation fault And then the proxy radius dies. This happens each time at the fifth try while trying to send the request to a dead home server. Regular logs gives that Nov 18 01:37:46 vma-prdaut-08 radiusd[11028]: Marking home server a.b.c.d port 1812 as zombie (it looks like it is dead). I know I should give a gdb trace to help, but since this is production server, it might take some times to give the trace. Do you have any idea to what it could be related ? Environment is the following : FreeBSD 8.0/ Freeradius 2.1.10 compiled on threaded perl for snmp script use. Thanks Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
want to set up something a little more complex, not sure how to start. (hosts authenticated against openldap server)
I've currently got a single host configured to have a certificate, the certificate is issued on a per-host basis. I want to somehow link a specific machine to a specific ssl certificate. it's my understanding that openldap or mysql can do this. I'd prefer not to use mysql as the mysql authentication server is already running on a separate server from my radius server, and I want the radius server to be self-sufficient. the load is low enough to sustain this, but I'd also prefer not to maintain 2 mysql servers separately. ergo, mysql is a last resort solution. that leaves openldap. I should say now I'm authenticating wireless clients over wpa2 + eap-tls. I'm still looking for a fairly simple install a keypair+cacert on a client and it just works from then on, but I'd like to register in openldap that a given host (identified by some combination of name, mac address) is permanently tied to a given certificate. If the host and certificate don't match, I'd want to get some sort of notification in the logs or an e-mail alert or similar. what I don't want is for users to have to maintain any sort of password or username to connect to the wireless network. we're not using passwords now, we don't want to add complexity to the user side. I'm not really sure how to accomplish authorizing a certificate that's already passed tls authentication, but if it's possible, I know you folks will be able to point me to a guide or provide some input as to how to accomplish this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Segmentation Fault while proxing Request to home server]
Thomas Fagart wrote: ... WARNING: Internal sanity check failed in event handler for request 6: Discarding the request! Segmentation fault And then the proxy radius dies. That's not good. This happens each time at the fifth try while trying to send the request to a dead home server. I haven't been able to reproduce it, so it's difficult to track down I know I should give a gdb trace to help, but since this is production server, it might take some times to give the trace. Uhh... you can't run *another* test server using the same config? With eapol_test to generate test traffic? Do you have any idea to what it could be related ? It's a bug. Past that, it's impossible to say. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html