User get after few minute
Dear All, I have issue with configure radius. I have one Juniper MX80 for doing as LNS in my lab and FreeRADIUS Version 2.1.12 installed. I can see there is successful connected log to radius but after around 1mn it connect again and again. I have check in MX80 but has no any significant log. Below is the full log in debug mode of radius during connect. Please advice rad_recv: Access-Request packet from host 22.0.0.77 port 51280, id=32, length=237 User-Name = "testu...@intel.com" Service-Type = Framed-User CHAP-Password = 0x6424072271437b7df6f638bd05496fe856 CHAP-Challenge = 0xcf44cbf713aedaac40824ffc535532d96e7b109b025cb2a3b0 Chargeable-User-Identity = "" Acct-Session-Id = "491" ERX-Dhcp-Mac-Addr = ".." NAS-Identifier = "MX80-LAB-LNS" NAS-Port = 4095 NAS-Port-Id = "Ip:192.168.77.1:192 .168.77.2:55776:38107:10971:4534:2765160448" NAS-Port-Type = Virtual ERX-Attr-162 = 0x05f5e1 ERX-Attr-163 = 0x05f5e1 NAS-IP-Address = 22.0.0.77 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "eintel.com" for User-Name = "testu...@intel.com" [suffix] No such realm "eintel.com" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> testu...@intel.com [sql] sql_set_user escaped user --> 'testu...@intel.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testu...@intel.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testu...@intel.com' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ' testu...@intel.com' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "testu...@intel.com" with CHAP password [chap] Using clear text password "saba" for user testuser@intel.comauthentication. [chap] chap user testu...@intel.com authenticated succesfully ++[chap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> testu...@intel.com [sql] sql_set_user escaped user --> 'testu...@intel.com' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> 0x6424072271437b7df6f638bd05496fe856 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( ' testu...@intel.com', '0x6424072271437b7df6f638bd05496fe856', 'Access-Accept', '2013-08-22 15:51:05') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( ' testu...@intel.com', '0x6424072271437b7df6f638bd05496fe856', 'Access-Accept', '2013-08-22 15:51:05') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 32 to 22.0.0.77 port 51280 Framed-IP-Address = 10.1.1.123 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 32 with timestamp +177 Ready to process requests. Regards, SP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3.0/Policy.D
noted. tks On Tue, Aug 20, 2013 at 9:43 PM, Alan DeKok wrote: > ultaman khoo wrote: > > Thanks alan, i alreaady on it right now, anything from the RFC that you > > aware of can challenge the back the changes of NAS ip is wrong? Thanks > > All of the RADIUS RFCs assume that a client has one IP, and only one IP. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: > well looking at man wpa_supplicant I can see > > EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. > also from my google searches it might be possible that windows supports > PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get Yes > There is a concern in our organization with security of PEAP/MSCHAPV2 over > Eduroam > because we don't really trust supplicants in windows, macs and various phones > to do the right thing (windows phone doesn't check the radius certificate for > example). If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. On Aug 21, 2013, at 17:49, Phil Mayers wrote: > On 21/08/2013 19:28, Chris Parker wrote: > >> So I doubt this issue is with FR, but more of that Samba is being >> cranky. I can never get ntlm_auth to give me that NT key, which I >> feel if I could resolve that, I could continue with FR. > > No. NT_KEY is only generated by mschap, not by username/password auth. See my > other email. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Intermediate SSL certificate
I am having an issue with intermediate SSL certificate and clients failing to validate the certificate. When using intermediate certs in for instance Apache there is a separate directive where you specify the intermediate certs. Then as part of the SSL handshake those certs are sent along to the client. I read that for FreeRadius just combine the cert with the intermediate cert into one file and then reference that in eap.conf:certificate_file. I have done that but clients are still failing certificate validation. Any help would be appreciated. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/2013 13:55, Chris Parker wrote: Thank you Phil! That resolved my first steps, and I figured there was something like that. I have poured over deployingfreeradius.com, but for the life of me I could not find anything of assistance for my set up. Yeah... to be honest, I think I've just confused matters. I have enabled the ntlm_auth line in modules/mschap but no password is sent to ntlm_auth to be checked. So the fact that it's failing makes sense, since there's no password being read in and thus it fails authorize. So this is just escaping me on how to get the password into ntlm_auth via MSCHAP. On top of that, when my access point succeeds against the users file, I suspect it's doing EAP but the logs never say "I have detected EAP, setting EAP" I see a lot of confusion in that paragraph. In brief: RADIUS supports multiple authentication algorithms, and the client chooses the algorithm. "modules/ntlm_auth" can only handle PAP, which sends a username & password. "modules/mschap" can handle MSCHAP, which sends a challenge/response based on the password "eap" handles EAP, and then calls other modules to handle what runs inside the EAP tunnel. You're getting confused because you seem to be trying to configure "modules/ntlm_auth" to handle MSCHAP, which won't work. MSCHAP doesn't send the password to the server; just a one-time function of it. My advice - go back to the default configs, and ignore "modules/ntlm_auth". It's not really intended for use as-is; it's a sample config for people to build on if the have advanced knowledge of the server. Re-read the stuff on deployingradius.com - if you're trying to do WPA-Enterprise (aka 802.1x) then it is definitive. If you're trying to do something else, describe what, and show a *full* debug of a client trying and failing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/2013 19:28, Chris Parker wrote: So I doubt this issue is with FR, but more of that Samba is being cranky. I can never get ntlm_auth to give me that NT key, which I feel if I could resolve that, I could continue with FR. No. NT_KEY is only generated by mschap, not by username/password auth. See my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote: > On 21/08/2013 12:17, Martin Kraus wrote: > >Hi. > >I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer > > Is this really what you mean? TTLS outer and TLS inner, versus PEAP > outer and TLS inner? > > Because the latter is unlikely to work; it's not a supported combo > per the PEAP spec. well looking at man wpa_supplicant I can see EAP-PEAP/TLS so I assumed that this is an equivalent of EAP-TTLS/TLS. also from my google searches it might be possible that windows supports PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get it to work because there is no EAP-TTLS/TLS support in windows. There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam because we don't really trust supplicants in windows, macs and various phones to do the right thing (windows phone doesn't check the radius certificate for example). I'll paste the full debug tomorrow when I'm back at the office. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
When I poke around and try to deconstruct the issue, I find that ntlm_auth when run manually retrieve the NT key, it does not do anything. It just says NT_STATUS_OK: Success (0x0) If I run the --diagnostics flag this is what I get... root@leopard:/etc/freeradius# ntlm_auth --domain=WONKY --username=wyse1 --diagnostics password: Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) So I doubt this issue is with FR, but more of that Samba is being cranky. I can never get ntlm_auth to give me that NT key, which I feel if I could resolve that, I could continue with FR. On Aug 21, 2013, at 8:55 AM, Chris Parker wrote: > Thank you Phil! > That resolved my first steps, and I figured there was something like that. I > have poured over deployingfreeradius.com, but for the life of me I could not > find anything of assistance for my set up. > > I have enabled the ntlm_auth line in modules/mschap but no password is sent > to ntlm_auth to be checked. > So the fact that it's failing makes sense, since there's no password being > read in and thus it fails authorize. So this is just escaping me on how to > get the password into ntlm_auth via MSCHAP. > On top of that, when my access point succeeds against the users file, I > suspect it's doing EAP but the logs never say "I have detected EAP, setting > EAP" > > rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86, > length=113 > User-Name = "wyse1" > NAS-IP-Address = 127.0.1.1 > NAS-Port = 1812 > MS-CHAP-Challenge = 0x9e2069a2b9faf93d > MS-CHAP-Response = > 0x0001b48195bef7a73a38839411904a51717092c530d4bef03520 > # Executing section authorize from file /etc/freeradius/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > ++[mschap] returns ok > ++[digest] returns noop > [suffix] No '@' in User-Name = "wyse1", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1 > [ntlm_auth] expand: --password=%{User-Password} -> --password= > Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) > Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password > (0xc06a) > Exec-Program: returned: 1 > ++[ntlm_auth] returns reject > Invalid user: [wyse1/] (from client localhost port > 1812) > Using Post-Auth-Type Reject > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> wyse1 > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 86 to 127.0.0.1 port 60203 > Waking up in 4.9 seconds. > Cleaning up request 0 ID 86 with timestamp +6 > Ready to process requests. > > On Aug 21, 2013, at 3:25 AM, Phil Mayers wrote: > >> On 08/21/2013 05:11 AM, Chris Parker wrote: >>> >>> Log output: >>> rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, >>> length=57 >>> User-Name = "wyse1" >>> User-Password = "K503D" >>> NAS-IP-Address = 127.0.1.1 >>> NAS-Port = 1812 >>> # Executing section authorize from file >>> /etc/freeradius/sites-enabled/default >>> +- entering group authorize {...} >>> ++[preprocess] returns ok >>> ++[chap] returns noop >>> ++[mschap] returns noop >>> ++[digest] returns noop >>> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL >>> [suffix] No such realm "NULL" >>> ++[suffix] returns noop >>> [eap] No EAP-Message, not doing EAP >>> ++[eap] returns noop >>> ++[files] returns noop >>> ++[expiration] returns noop >>> ++[logintime] returns noop >>> [ntlm_auth] expand: --username=%{mschap:User-Name} -> >>> --username=wyse1 >>> [ntlm_auth] expand: --password=%{User-Password} -> --password=K503D >>> Exec-Program output: NT_STATUS_OK: Success (0x0) >>> Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) >>> Exec-Program: returned: 0 >>> ++[ntlm_auth] returns ok >> >> You're running ntlm_auth in the "authorize" section, and then: >> >>> [pap] WARNING! No "known good" password found for the user. Authentication >>> may fail because of this. >>> ++[pap] returns noop >>> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting >>> the user >> >> ...nothing in the "authenticate" section. >> >> You either want: >> >> authorize { >>
Re: ntlm_auth not respected
Thank you Phil! That resolved my first steps, and I figured there was something like that. I have poured over deployingfreeradius.com, but for the life of me I could not find anything of assistance for my set up. I have enabled the ntlm_auth line in modules/mschap but no password is sent to ntlm_auth to be checked. So the fact that it's failing makes sense, since there's no password being read in and thus it fails authorize. So this is just escaping me on how to get the password into ntlm_auth via MSCHAP. On top of that, when my access point succeeds against the users file, I suspect it's doing EAP but the logs never say "I have detected EAP, setting EAP" rad_recv: Access-Request packet from host 127.0.0.1 port 60203, id=86, length=113 User-Name = "wyse1" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0x9e2069a2b9faf93d MS-CHAP-Response = 0x0001b48195bef7a73a38839411904a51717092c530d4bef03520 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "wyse1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Invalid user: [wyse1/] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 86 to 127.0.0.1 port 60203 Waking up in 4.9 seconds. Cleaning up request 0 ID 86 with timestamp +6 Ready to process requests. On Aug 21, 2013, at 3:25 AM, Phil Mayers wrote: > On 08/21/2013 05:11 AM, Chris Parker wrote: >> >> Log output: >> rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, >> length=57 >> User-Name = "wyse1" >> User-Password = "K503D" >> NAS-IP-Address = 127.0.1.1 >> NAS-Port = 1812 >> # Executing section authorize from file /etc/freeradius/sites-enabled/default >> +- entering group authorize {...} >> ++[preprocess] returns ok >> ++[chap] returns noop >> ++[mschap] returns noop >> ++[digest] returns noop >> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL >> [suffix] No such realm "NULL" >> ++[suffix] returns noop >> [eap] No EAP-Message, not doing EAP >> ++[eap] returns noop >> ++[files] returns noop >> ++[expiration] returns noop >> ++[logintime] returns noop >> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1 >> [ntlm_auth] expand: --password=%{User-Password} -> --password=K503D >> Exec-Program output: NT_STATUS_OK: Success (0x0) >> Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) >> Exec-Program: returned: 0 >> ++[ntlm_auth] returns ok > > You're running ntlm_auth in the "authorize" section, and then: > >> [pap] WARNING! No "known good" password found for the user. Authentication >> may fail because of this. >> ++[pap] returns noop >> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting >> the user > > ...nothing in the "authenticate" section. > > You either want: > > authorize { > ... > ntlm_auth > if (ok) { >update control { > Auth-Type := Accept >} > } > ... > } > > ...or: > > authorize { > ... > # don't run ntlm_auth here, and right at the bottom > if (User-Password) { ># PAP request, tell ntlm_auth to run in authenticate >update control { > Auth-Type = ntlm_auth >} > } > } > authenticate { > Auth-Type ntlm_auth { >ntlm_auth > } > } > > HOWEVER - you should note that the (EXTREMELY unfortunately named) > "ntlm_auth" module instance is usually not what you want for wireless. > Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting up > the "ntlm_auth" configuration *item* of the mschap module. > > Read the extensive docs, wiki, and walkthrough on deployingradius.com for > more info. > >> Failed to authenticate the user. >> Login incorrect: [wyse1/K503D] (from client localhost port 1812) >> Using Post-Auth-Type Reject >> # Executing group f
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: > I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer > TLS tunnel is established: On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_python
> Building your own packages on Debian/Ubuntu is trivial. There's really > no excuse not to run the latest code. Matthew, I agree with you, but not when the policy is to only use what is published on vendor (i.e. Ubuntu) repositories. But, like I say, that's not a discussion appropriate for the list, but rather one to be held with Ubuntu :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 21/08/2013 12:17, Martin Kraus wrote: Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner? Because the latter is unlikely to work; it's not a supported combo per the PEAP spec. TLS tunnel is established: WARNING: !! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! and then later on rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Post a full debug, gathered with "radiusd -X", of a failing attempt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: WARNING: !! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! and then later on rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request I've read the instructions but none of that seems to apply to my situation There is TLV result - failure in the supplicant log but I don't have a clue if that is a cause or a effect of the error in freeradius. Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: received 37 bytes encrypted data for Phase 2 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=5): 01 07 00 05 +01 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: received Phase 2: code=1 identifier=7 length=5 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Phase 2 Request: type=1 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Encrypting Phase 2 data - hexdump(len=18): [REMOVED] Aug 21 12:22:34 localhost wpa_supplicant[19681]: SSL: 90 bytes left to be sent out (of total 90 bytes) Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: method process -> ignore=FALSE methodState=MAY_CONT +decision=FAIL Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: EAP entering state SEND_RESPONSE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: EAP entering state IDLE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: SUPP_BE entering state RESPONSE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: txSuppRsp Aug 21 12:22:34 localhost wpa_supplicant[19681]: TX EAPOL: dst=00:24:14:3a:95:d0 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: SUPP_BE entering state RECEIVE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: startWhen --> 0 Aug 21 12:22:46 localhost wpa_supplicant[19681]: EAP-TLV: TLV Result - Failure Aug 21 12:22:47 localhost wpa_supplicant[19681]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Thanks for any help Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
On Wed, Aug 21, 2013 at 09:19:35AM +, stefan.pae...@diamond.ac.uk wrote: > > Well... as Alan says, upgrade. Particularly if "you know". > > There is no 'out of the box' version for upgrade on Ubuntu 12 at > this point short of having to compile it ourselves, that is Building your own packages on Debian/Ubuntu is trivial. There's really no excuse not to run the latest code. See: http://wiki.freeradius.org/building/Build#Building-Debian-packages Building from git is just about as easy (I think easier - you save the step of downloading a tarball); I wrote it up a while back: http://notes.asd.me.uk/2012/01/27/compiling_freeradius_from_git_on_debian/ Note these both give you packages - so you can easily uninstall etc as required, or roll back to the distribution ones. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_python
> > 12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was > > Well... as Alan says, upgrade. Particularly if "you know". There is no 'out of the box' version for upgrade on Ubuntu 12 at this point short of having to compile it ourselves, that is (situation is similar to CentOS 6 where the last release is 2.1.12). But that's a discussion best had with the Ubuntu folks. > However - embedding python is a pain in the arse. Various versions have > issues with the module.so not linking to libpython.so, and not pulling > in all the symbols it should. See: > > http://bugs.python.org/issue4434 > > ...and try not to despair at the (ahem) confusion of the python dev, > and the various mouth-breathers who suggest static linking :o( > > Try "ldd /_ldap.so" and see if it links to libpython.so. If not, > that's your problem, and there isn't much you can do about it because > python is broken on your system. I shall check that again (when I bring the box up for that magical third try). But if it's not, that again is probably an Ubuntu-specific issue, and we'll probably raise it with the Python-LDAP folks. > The OP in the bug above seems to think it's fixed for him in Python > 2.5, but TBH I suspect distro-specific build-time options, rather than > any change to the python runtime. Indeed. In the meanwhile I've decided to work around it by using ldap.attrmap with a load of Tmp-String-* entries and hoping to feed those into a standard (non-C-linked) Python module for assembly into a compliant XML string. :-) Thanks for the heads-up. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
On 08/20/2013 02:27 PM, stefan.pae...@diamond.ac.uk wrote: Hello all, I'm currently attempting to use rlm_python to query LDAP (with python-ldap) and then return an XML string in a VSA (SAML-AAA-Assertion). However, when I try to load it, I get the dreaded "undefined symbol: PyExc_SystemError" error. This is on Ubuntu 12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was Well... as Alan says, upgrade. Particularly if "you know". However - embedding python is a pain in the arse. Various versions have issues with the module.so not linking to libpython.so, and not pulling in all the symbols it should. See: http://bugs.python.org/issue4434 ...and try not to despair at the (ahem) confusion of the python dev, and the various mouth-breathers who suggest static linking :o( Try "ldd /_ldap.so" and see if it links to libpython.so. If not, that's your problem, and there isn't much you can do about it because python is broken on your system. The OP in the bug above seems to think it's fixed for him in Python 2.5, but TBH I suspect distro-specific build-time options, rather than any change to the python runtime. built on the local machine for the newest version (although the existing version in the Ubuntu repository has the same problem). Freeradius_samlldap exists in the correct path for Python eggs, and Just to point out that this is of course not the issue. It's one of the modules that this tries to pull in. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 08/21/2013 05:11 AM, Chris Parker wrote: Log output: rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, length=57 User-Name = "wyse1" User-Password = "K503D" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "wyse1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} -> --password=K503D Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok You're running ntlm_auth in the "authorize" section, and then: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user ...nothing in the "authenticate" section. You either want: authorize { ... ntlm_auth if (ok) { update control { Auth-Type := Accept } } ... } ...or: authorize { ... # don't run ntlm_auth here, and right at the bottom if (User-Password) { # PAP request, tell ntlm_auth to run in authenticate update control { Auth-Type = ntlm_auth } } } authenticate { Auth-Type ntlm_auth { ntlm_auth } } HOWEVER - you should note that the (EXTREMELY unfortunately named) "ntlm_auth" module instance is usually not what you want for wireless. Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting up the "ntlm_auth" configuration *item* of the mschap module. Read the extensive docs, wiki, and walkthrough on deployingradius.com for more info. Failed to authenticate the user. Login incorrect: [wyse1/K503D] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 114 to 127.0.0.1 port 35826 Waking up in 4.9 seconds. Cleaning up request 7 ID 114 with timestamp +843 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html