FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who connect through a Cisco Small Business POE switch. When testing authentication with a shutdown / no shutdown command on port fa/17 which has an IP phone connected to it we receive the following errors: FREE RADIUS : [ldap] expand: %{User-Name} - root [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=root) [ldap] expand: dc=citlao,dc=local - dc=citlao,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect ( [ldap] User not found): [root/trash] (from client LTC-ROUTER port 2) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 31 to 192.168.1.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 12 ID 31 with timestamp +10922 Ready to process requests. CISCO POE SWITCH: SW-BN3-PoE(config-if)#shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17 SW-BN3-PoE(config-if)# SW-BN3-PoE(config-if)#no shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP status Forwarding 23-Sep-2013 14:17:42 %LINK-I-Up: fa17 23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server 23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3) 23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, aggregated (3) 23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3) 23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server, aggregated (1) However when we try the same test on a port that has a PC connected to it we do not receive such an error. The CISCO switch says that we have the wrong user name and the Free Radius log says access rejected. Why would this only be the case when a CISCO IP phone tries to authenticate? The Cisco switch port configurations are exactly the same and are as follows : dot1x max-req 1 dot1x reauthentication dot1x timeout quiet-period 30 dot1x mac-authentication mac-only dot1x port-control auto storm-control broadcast enable storm-control broadcast level 10 storm-control include-multicast spanning-tree portfast macro description no_ip_phone_desktop | ip_phone_desktop switchport trunk allowed vlan add 100 macro auto smartport type ip_phone_desktop What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Thanks for your assistance, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Facing Problem in Asterisk peer Authentication with Freeradius.
Hi, I want to authenticate asterisk peer using freeradius I am using asterisk 12.0.0 and Freeradius 2.2.1. I have configured freeradius correctly as I am able to authenticate user saved in users file from the terminal by using radclient command from the terminal. but when I try to register peer in asterisk the freeradius authentication doesn't work. Even I don't get any request from asterisk server in radius logs. My sip.conf configuration is : [1000] type=friend context=test auth_type=radius host=dynamic and user credentials are placed in /usr/local/etc/raddb/users as: 1000 Cleartext-Password := password Please Help me in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
On 23 Sep 2013, at 11:27, Husnain Taseer husnain.tas...@gmail.com wrote: Even I don't get any request from asterisk server in radius logs. You're looking at the wrong layer for the problem. Fire up tcpdump. Do you see any radius traffic leaving the asterisk box? Does it reach the RADIUS server? If no traffic is leaving the asterisk server, you'll need to ask the Asterisk mailing lists. If traffic is going missing, you need to check your network. If traffic does reach the radius server, you've either broken your RADIUS configuration (post a full debug log) or your environment is screwed up (check the local firewall, SELinux, AppArmor...) Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. Also, in the simtriplets files at the bottom, I have tried the entries with a 1 at the beiging of the IMSI, and without and with the word SIM there also. On packet captures over the air, I get P1 - eap identity request P2 - eap identity response P3 - eap-failure So I beleive the radius server is not sending an eap-start module and is my configuration issue. Could anyone be so kind to help me please? Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=5, length=257 User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org NAS-IP-Address = 192.168.21.1 Called-Station-Id = 5C-D9-98-BF-C0-9E:tt NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 5C-F8-A1-8B-35-BA Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Id = 524016AE-0005 Framed-MTU = 1400 EAP-Message = 0x02ba0038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x25cd862fe8110e13ab54321c37032d00 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org [suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org ++[suffix] returns noop [eap] EAP packet type response id 186 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP type sim failed in initiate [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 5 to 10.53.1.200 port 45261 EAP-Message = 0x04ba0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 0 ID 5 with timestamp +8 Ready to process requests. rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=6, length=257 User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org NAS-IP-Address = 192.168.21.1 Called-Station-Id = 5C-D9-98-BF-C0-9E:tt NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 5C-F8-A1-8B-35-BA Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Id = 524016AE-0006 Framed-MTU = 1400 EAP-Message = 0x02f20038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xac6eea11e5915f4e4e5bbc06a7ed3e72 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org [suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org ++[suffix] returns noop [eap] EAP packet type response id 242 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
In tcpdump asterisk not sending request to the freeradius can u tell after configuring freeradius what configurations are needed to be done in asterisk. Regards, Husnain Taseer On Mon, Sep 23, 2013 at 4:11 PM, Adam Bishop adam.bis...@ja.net wrote: On 23 Sep 2013, at 11:27, Husnain Taseer husnain.tas...@gmail.com wrote: Even I don't get any request from asterisk server in radius logs. You're looking at the wrong layer for the problem. Fire up tcpdump. Do you see any radius traffic leaving the asterisk box? Does it reach the RADIUS server? If no traffic is leaving the asterisk server, you'll need to ask the Asterisk mailing lists. If traffic is going missing, you need to check your network. If traffic does reach the radius server, you've either broken your RADIUS configuration (post a full debug log) or your environment is screwed up (check the local firewall, SELinux, AppArmor...) Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication
Dear, I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? thank you --- Marcelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Just also beware that the MAC and be spoofed also with lots of programs :) On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Also, if I put the sim_files entry before eap in the default file I get the following error when I try and start Radiusd -s -X Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load /usr/local/etc/raddb/radiusd.conf[643]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[63]: Failed to load module sim_files. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. Could it be a linux thing, I am starting to think my linux skills are rubbish. I have been trying very hard :) Many thx ken On 23 September 2013 at 12:56 ken.farrington ken.farring...@802.co.uk wrote: Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
Husnain Taseer wrote: In tcpdump asterisk not sending request to the freeradius can u tell after configuring freeradius what configurations are needed to be done in asterisk. You were told to ask this question on the asterisk mailing list. We are not asterisk, and we know nothing about it. If you're not going to follow instructions, you will have a VERY hard time solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Am Montag, 23. September 2013, 13:53:14 schrieb ken.farrington: Just also beware that the MAC and be spoofed also with lots of programs :) Yes: ip link dev ... set addr ... On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who connect through a Cisco Small Business POE switch. When testing authentication with a shutdown / no shutdown command on port fa/17 which has an IP phone connected to it we receive the following errors: FREE RADIUS : [ldap] expand: %{User-Name} - root [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=root) [ldap] expand: dc=citlao,dc=local - dc=citlao,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect ( [ldap] User not found): [root/trash] (from client LTC-ROUTER port 2) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 31 to 192.168.1.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 12 ID 31 with timestamp +10922 Ready to process requests. CISCO POE SWITCH: SW-BN3-PoE(config-if)#shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17 SW-BN3-PoE(config-if)# SW-BN3-PoE(config-if)#no shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP status Forwarding 23-Sep-2013 14:17:42 %LINK-I-Up: fa17 23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server 23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3) 23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, aggregated (3) 23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3) 23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server, aggregated (1) However when we try the same test on a port that has a PC connected to it we do not receive such an error. The CISCO switch says that we have the wrong user name and the Free Radius log says access rejected. Why would this only be the case when a CISCO IP phone tries to authenticate? The Cisco switch port configurations are exactly the same and are as follows : dot1x max-req 1 dot1x reauthentication dot1x timeout quiet-period 30 dot1x mac-authentication mac-only dot1x port-control auto storm-control broadcast enable storm-control broadcast level 10 storm-control include-multicast spanning-tree portfast macro description no_ip_phone_desktop | ip_phone_desktop switchport trunk allowed vlan add 100 macro auto smartport type ip_phone_desktop What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Thanks for your assistance, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Thank you Alan I will pursue that line of inquiry further. On 9/23/2013 8:18 PM, Alan DeKok wrote: Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? or are you looking for the startup output as well? i only included the output for the particular requests. JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 101, Issue 50
Authentication. Thanks. -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html -- Message: 5 Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT) From: paul trader flip...@igolinux.com To: freeradius-users@lists.freeradius.org Subject: pap always returns noop for windows dialup authentication Message-ID: alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box w/ all latest updates, i installed freeradius v2, added one username and password to /etc/raddb/users: test Cleartext-Password := testing and the radtest command-line authentication works. i then added one client for our blade server to /etc/raddb/clients.conf: client x.x.x.x { secret = x shortname = 3coms } substituting the correct ip and secret for the x's. testing from my linux box w/ a modem, authentication works. output from radiusd -X shows all is well, my linux box receives an ip address and dns servers. relavant -X debug output shows: ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password testing [pap] User authenticated successfully ++[pap] returns ok however, when trying to authenticate from a windows box, authentication fails. every time. i've tried it from a windows xp machine and 2 windows 7 machines. the debug output always says: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject i've been over and over everything a dozen times, have tried changing the windows dialup security settings to use pap only, and also have tried adding the following line to the users file: Auth-Type = PAP even though everything i've read said not to do that. still doesn't work. the only changes i've made to the default installation are to the users and clients.conf files. i have spent hours searching the internet for a similar problem/solution and come up empty. windows boxes will not authenticate, pap always returns noop, and the user is rejected. am i doing something glaringly wrong, or just going plain crazy? regards, paul -- Message: 6 Date: Mon, 23 Sep 2013 17:52:53 +0100 From: Phil Mayers p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: pap always returns noop for windows dialup authentication Message-ID: 524071e5.4090...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 23/09/13 17:33, paul trader wrote: am i doing something glaringly wrong, or just going plain crazy? It's difficult to say, because the debug you sent has all the useful bits trimmed out - like the original packet, and the full module processing chain. Send a full debug, and odds are someone will spot the issue. Most likely is that the Windows machine is sending a different format of username e.g. DOMAIN\user, so whatever database you're doing a lookup for the password or hash - SQL, LDAP, files - isn't matching. But that's a guess - post the full debug. -- Message: 7 Date: Mon, 23 Sep 2013 13:19:04 -0400 (EDT) From: paul trader flip...@igolinux.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: pap always returns noop for windows dialup authentication Message-ID: alpine.DEB.2.02.1309231310440.7633@soundgarden.localdomain.local Content-Type: TEXT/PLAIN; charset=US-ASCII eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. hi phil - ok, here's the full debug for a successful request: rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37, length=133 User-Name = test User-Password = testing User-Password = testing NAS-IP-Address = x.x.x.x NAS-Identifier = x.x.x.x NAS-Port = 2561 Acct-Session-Id = 167773864 Service-Type = Login-User Calling-Station-Id = xx Called-Station-Id = xxx NAS-Port-Type = Async # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up
Re: pap always returns noop for windows dialup authentication
On 23/09/13 17:33, paul trader wrote: am i doing something glaringly wrong, or just going plain crazy? It's difficult to say, because the debug you sent has all the useful bits trimmed out - like the original packet, and the full module processing chain. Send a full debug, and odds are someone will spot the issue. Most likely is that the Windows machine is sending a different format of username e.g. DOMAIN\user, so whatever database you're doing a lookup for the password or hash - SQL, LDAP, files - isn't matching. But that's a guess - post the full debug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 01:19 PM, paul trader wrote: eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. You still haven't sent the full debug. hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 So there's your answer, in the successful case it matched the entry for text on line 1, on the failed case it didn't match. So either you're not using the same users file (a full debug would have told us that) or you've got some criteria set for the test entry which isn't being matched. Also, you said you were moving from v1 to v2, you can't just copy v1 configs over, they're different, hope you weren't doing that. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap always returns noop for windows dialup authentication
hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box w/ all latest updates, i installed freeradius v2, added one username and password to /etc/raddb/users: test Cleartext-Password := testing and the radtest command-line authentication works. i then added one client for our blade server to /etc/raddb/clients.conf: client x.x.x.x { secret = x shortname = 3coms } substituting the correct ip and secret for the x's. testing from my linux box w/ a modem, authentication works. output from radiusd -X shows all is well, my linux box receives an ip address and dns servers. relavant -X debug output shows: ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password testing [pap] User authenticated successfully ++[pap] returns ok however, when trying to authenticate from a windows box, authentication fails. every time. i've tried it from a windows xp machine and 2 windows 7 machines. the debug output always says: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject i've been over and over everything a dozen times, have tried changing the windows dialup security settings to use pap only, and also have tried adding the following line to the users file: Auth-Type = PAP even though everything i've read said not to do that. still doesn't work. the only changes i've made to the default installation are to the users and clients.conf files. i have spent hours searching the internet for a similar problem/solution and come up empty. windows boxes will not authenticate, pap always returns noop, and the user is rejected. am i doing something glaringly wrong, or just going plain crazy? regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. hi phil - ok, here's the full debug for a successful request: rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37, length=133 User-Name = test User-Password = testing User-Password = testing NAS-IP-Address = x.x.x.x NAS-Identifier = x.x.x.x NAS-Port = 2561 Acct-Session-Id = 167773864 Service-Type = Login-User Calling-Station-Id = xx Called-Station-Id = xxx NAS-Port-Type = Async # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password testing [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 37 to x.x.x.x port 1812 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 37 with timestamp +676 and here's the full output of a failed request: Ready to process requests. rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35, length=121 User-Name = test User-Password = testing NAS-IP-Address = x.x.x.x NAS-Identifier = x.x.x.x NAS-Port = 2561 Acct-Session-Id = 167773862 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = xx Called-Station-Id = xxx NAS-Port-Type = Async # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 35 to 64.214.93.3 port 1812 Waking up in 4.9 seconds. Cleaning up request 0 ID 35 with timestamp +361 from what i can see, the successful request finds the user's entry in the user table, but the failed request doesn't (and uses DEFAULT instead). but the usernames passed in seem to be the same. i don't know, we've used freeradius for years and this is the 1st time i'm having a problem. weird. regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 101, Issue 50
On Mon, 23 Sep 2013 at 18:49, Rui Ribeiro opined: RR:Your not crazy for sure. The problem authenticating with Windows boxen RR:is that they only support MSCHAPv2… kudos to Microsoft. hi rui - thanks for that, although my family and co workers may disagree! according to this wiki faq entry: http://wiki.freeradius.org/guide/faq#How-do-I-make-Windows-XP-clients-use-only-PAP-%28Not-CHAP%29 it's possible to force ms to use pap. somehow, though, after reading another reply to my post, i'm getting the feeling ms clients are munging something in the username because it's not being found in the users file. regards, paul- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Authentication
Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 02:07 PM, paul trader wrote: On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? No. It means all the output from radiusd -X. Yes, that might seem like a lot but it contains useful information. But before you do send it to this list see below. or are you looking for the startup output as well? i only included the output for the particular requests. That's not the full debug is it? :-) JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. You have all the information you need to debug your problem. It does require reading the debug output carefully. But you should really try to do that yourself first. As a said earlier, verify you're reading the exact same users file in both cases (the debug output will tell you what files are being read), If they are then look at your users file and determine why the user name is not matching, there is nothing magic about it, it should be straight forward. Still stumped? Then come back to the list for help. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
paul trader wrote: i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. Well, there's no magic. If the users file entry doesn't match, it's because the User-Name isn't test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
Hey I wanted to say thanks for the tips! I convinced the peers that it was not a good idea to allow auto certificate acceptance and to just have the clients accept it when the new certificate went online. Cheers, - Trevor On Thu, Sep 12, 2013 at 3:46 PM, Brian Julin bju...@clarku.edu wrote: Mathieu wrote: At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. That is promising, but I hope this does not become a case of Oh, there's an app for that basic system function versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On Mon, 23 Sep 2013 at 14:42, John Dennis opined: JD:You have all the information you need to debug your problem. It does JD:require reading the debug output carefully. But you should really try JD:to do that yourself first. As a said earlier, verify you're reading the JD:exact same users file in both cases (the debug output will tell you JD:what files are being read), If they are then look at your users file JD:and determine why the user name is not matching, there is nothing magic JD:about it, it should be straight forward. Still stumped? Then come back JD:to the list for help. hi john - thanks for the help. however, i've read the debug output about 50 thousand times and am just not seeing what is causing the problem, other than it not finding the username in the /etc/raddb/users file when trying to authenticate from a windows box. i mean, the debug output from the authentication request shows the username to be test and there's clearly a user named test in the users file. every place in the debug output where it lists the username it's test. there doesn't seem to be any domain prepended to it. when starting the server, the debug output shows the file 'modules/files' is being instantiated: Module: Instantiating module files from file /etc/raddb/modules/files files { usersfile = /etc/raddb/users acctusersfile = /etc/raddb/acct_users preproxy_usersfile = /etc/raddb/preproxy_users compat = no } and the user/password is in the /etc/raddb/users file. if it weren't then the linux authentication requests wouldn't be working either, right? i'm not trying anything complicated. this setup is not using ldap, active directory, and it's not talking to a database. it's just supposed to be reading a plain-text username and password from the users file. here's the full debug output: [root@ikano raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/clients.conf.swave including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/files including configuration file
Re: pap always returns noop for windows dialup authentication
On 23/09/2013 18:19, paul trader wrote: hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 Versus and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 The two request look very similar, but you've x.x.x.x'ed out some data (grr...). Whatever you've X'ed out, one request is matching on line 1 of the users file, one on line 172, so they're obviously different. Carefully examine the two entries on line 1 and 172, determine what's different, examine the unredacted data in the packets, and correct it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Authentication
--Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . arvind...@gmail.com wrote: Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html