FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through a Cisco Small Business POE switch.
When testing authentication with a shutdown / no shutdown command on
port fa/17 which has an IP phone connected to it we receive the
following errors:
FREE RADIUS :
[ldap] expand: %{User-Name} - root
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=root)
[ldap] expand: dc=citlao,dc=local - dc=citlao,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.
CISCO POE SWITCH:
SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17
SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up: fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)
However when we try the same test on a port that has a PC connected to
it we do not receive such an error.
The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected. Why would this only be the case when
a CISCO IP phone tries to authenticate?
The Cisco switch port configurations are exactly the same and are as
follows :
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 30
dot1x mac-authentication mac-only
dot1x port-control auto
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
spanning-tree portfast
macro description no_ip_phone_desktop | ip_phone_desktop
switchport trunk allowed vlan add 100
macro auto smartport type ip_phone_desktop
What can I try to fix the authentication issues so that all ports are being
successfully authenticated ?
Thanks for your assistance,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Facing Problem in Asterisk peer Authentication with Freeradius.
Hi, I want to authenticate asterisk peer using freeradius I am using asterisk 12.0.0 and Freeradius 2.2.1. I have configured freeradius correctly as I am able to authenticate user saved in users file from the terminal by using radclient command from the terminal. but when I try to register peer in asterisk the freeradius authentication doesn't work. Even I don't get any request from asterisk server in radius logs. My sip.conf configuration is : [1000] type=friend context=test auth_type=radius host=dynamic and user credentials are placed in /usr/local/etc/raddb/users as: 1000 Cleartext-Password := password Please Help me in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
On 23 Sep 2013, at 11:27, Husnain Taseer husnain.tas...@gmail.com wrote: Even I don't get any request from asterisk server in radius logs. You're looking at the wrong layer for the problem. Fire up tcpdump. Do you see any radius traffic leaving the asterisk box? Does it reach the RADIUS server? If no traffic is leaving the asterisk server, you'll need to ask the Asterisk mailing lists. If traffic is going missing, you need to check your network. If traffic does reach the radius server, you've either broken your RADIUS configuration (post a full debug log) or your environment is screwed up (check the local firewall, SELinux, AppArmor...) Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi All,
I really do try to read the forums in full before I post, but I have seen much
out there on this, but just cant find out why this is happening.
Please see below.
The only think I dont have is sim_files entry in the sites-enabled/default, as
I assume this is now covered in the radiusd.conf file.
Also, in the simtriplets files at the bottom, I have tried the entries with a 1
at the beiging of the IMSI, and without and with the word SIM there also.
On packet captures over the air, I get
P1 - eap identity request
P2 - eap identity response
P3 - eap-failure
So I beleive the radius server is not sending an eap-start module and is my
configuration issue.
Could anyone be so kind to help me please?
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=5,
length=257
User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
NAS-IP-Address = 192.168.21.1
Called-Station-Id = 5C-D9-98-BF-C0-9E:tt
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = 5C-F8-A1-8B-35-BA
Connect-Info = CONNECT 54Mbps 802.11g
Acct-Session-Id = 524016AE-0005
Framed-MTU = 1400
EAP-Message =
0x02ba0038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267
Message-Authenticator = 0x25cd862fe8110e13ab54321c37032d00
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name =
1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
[suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org
++[suffix] returns noop
[eap] EAP packet type response id 186 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
can not initiate sim, no RAND1 attribute
[eap] Default EAP type sim failed in initiate
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 5 to 10.53.1.200 port 45261
EAP-Message = 0x04ba0004
Message-Authenticator = 0x
Waking up in 4.9 seconds.
Cleaning up request 0 ID 5 with timestamp +8
Ready to process requests.
rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=6,
length=257
User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
NAS-IP-Address = 192.168.21.1
Called-Station-Id = 5C-D9-98-BF-C0-9E:tt
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = 5C-F8-A1-8B-35-BA
Connect-Info = CONNECT 54Mbps 802.11g
Acct-Session-Id = 524016AE-0006
Framed-MTU = 1400
EAP-Message =
0x02f20038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xac6eea11e5915f4e4e5bbc06a7ed3e72
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name =
1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org
[suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org
++[suffix] returns noop
[eap] EAP packet type response id 242 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
can not initiate sim, no
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
In tcpdump asterisk not sending request to the freeradius can u tell after configuring freeradius what configurations are needed to be done in asterisk. Regards, Husnain Taseer On Mon, Sep 23, 2013 at 4:11 PM, Adam Bishop adam.bis...@ja.net wrote: On 23 Sep 2013, at 11:27, Husnain Taseer husnain.tas...@gmail.com wrote: Even I don't get any request from asterisk server in radius logs. You're looking at the wrong layer for the problem. Fire up tcpdump. Do you see any radius traffic leaving the asterisk box? Does it reach the RADIUS server? If no traffic is leaving the asterisk server, you'll need to ask the Asterisk mailing lists. If traffic is going missing, you need to check your network. If traffic does reach the radius server, you've either broken your RADIUS configuration (post a full debug log) or your environment is screwed up (check the local firewall, SELinux, AppArmor...) Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication
Dear, I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? thank you --- Marcelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Just also beware that the MAC and be spoofed also with lots of programs :) On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Also, if I put the sim_files entry before eap in the default file I get the
following error when I try and start Radiusd -s -X
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
Module: Checking authorize {...} for more modules to load
/usr/local/etc/raddb/radiusd.conf[643]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file
or directory
/usr/local/etc/raddb/sites-enabled/default[63]: Failed to load module
sim_files.
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize
section.
Could it be a linux thing, I am starting to think my linux skills are rubbish.
I have been trying very hard :)
Many thx
ken
On 23 September 2013 at 12:56 ken.farrington ken.farring...@802.co.uk
wrote:
Hi Arran,
Im not sure if I have interpreted this right. Are you agreeing with my
statement, that it is not needed or are you saying it is needed? I seem to
recall I get an error when I put the sime_files in the default file.
Many thx indeed for the lightning fast response mate :)
Ken
On 23 September 2013 at 12:49 Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote:
Hi All,
I really do try to read the forums in full before I post, but I have seen
much out there on this, but just cant find out why this is happening.
Please see below.
The only think I dont have is sim_files entry in the
sites-enabled/default, as I assume this is now covered in the
radiusd.conf file.
No, it's not, that is a version 1.x.x configuration. You have to list it in
sites-enabled/default before EAP for it to work.
Honestly though you don't need the sim_files stuff as you can set the
attributes required in the users file (files).
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete
it and any attachments and notify the sender that you have received it in
error. Any views or opinions presented are solely those of the author and do
not necessarily represent those of 802 Limited or any subsidiary company of
802 Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.
Ken Farrington
Director
CCIE #12651
802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk
Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
Husnain Taseer wrote: In tcpdump asterisk not sending request to the freeradius can u tell after configuring freeradius what configurations are needed to be done in asterisk. You were told to ask this question on the asterisk mailing list. We are not asterisk, and we know nothing about it. If you're not going to follow instructions, you will have a VERY hard time solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Am Montag, 23. September 2013, 13:53:14 schrieb ken.farrington: Just also beware that the MAC and be spoofed also with lots of programs :) Yes: ip link dev ... set addr ... On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through a Cisco Small Business POE switch.
When testing authentication with a shutdown / no shutdown command on
port fa/17 which has an IP phone connected to it we receive the
following errors:
FREE RADIUS :
[ldap] expand: %{User-Name} - root
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=root)
[ldap] expand: dc=citlao,dc=local - dc=citlao,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.
CISCO POE SWITCH:
SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17
SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up: fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)
However when we try the same test on a port that has a PC connected to
it we do not receive such an error.
The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected. Why would this only be the case when
a CISCO IP phone tries to authenticate?
The Cisco switch port configurations are exactly the same and are as
follows :
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 30
dot1x mac-authentication mac-only
dot1x port-control auto
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
spanning-tree portfast
macro description no_ip_phone_desktop | ip_phone_desktop
switchport trunk allowed vlan add 100
macro auto smartport type ip_phone_desktop
What can I try to fix the authentication issues so that all ports are being
successfully authenticated ?
Thanks for your assistance,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Thank you Alan I will pursue that line of inquiry further. On 9/23/2013 8:18 PM, Alan DeKok wrote: Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? or are you looking for the startup output as well? i only included the output for the particular requests. JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 101, Issue 50
Authentication.
Thanks.
-- next part --
An HTML attachment was scrubbed...
URL:
http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html
--
Message: 5
Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)
From: paul trader flip...@igolinux.com
To: freeradius-users@lists.freeradius.org
Subject: pap always returns noop for windows dialup authentication
Message-ID:
alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box
w/ all latest updates, i installed freeradius v2, added one username and
password to /etc/raddb/users:
test Cleartext-Password := testing
and the radtest command-line authentication works. i then added one
client for our blade server to /etc/raddb/clients.conf:
client x.x.x.x {
secret = x
shortname = 3coms
}
substituting the correct ip and secret for the x's.
testing from my linux box w/ a modem, authentication works. output from
radiusd -X shows all is well, my linux box receives an ip address and dns
servers. relavant -X debug output shows:
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
however, when trying to authenticate from a windows box, authentication
fails. every time. i've tried it from a windows xp machine and 2 windows
7 machines. the debug output always says:
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
i've been over and over everything a dozen times, have tried changing the
windows dialup security settings to use pap only, and also have tried
adding the following line to the users file:
Auth-Type = PAP
even though everything i've read said not to do that. still doesn't work.
the only changes i've made to the default installation are to the users
and clients.conf files. i have spent hours searching the internet for a
similar problem/solution and come up empty. windows boxes will not
authenticate, pap always returns noop, and the user is rejected.
am i doing something glaringly wrong, or just going plain crazy?
regards, paul
--
Message: 6
Date: Mon, 23 Sep 2013 17:52:53 +0100
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: pap always returns noop for windows dialup authentication
Message-ID: 524071e5.4090...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 23/09/13 17:33, paul trader wrote:
am i doing something glaringly wrong, or just going plain crazy?
It's difficult to say, because the debug you sent has all the useful
bits trimmed out - like the original packet, and the full module
processing chain.
Send a full debug, and odds are someone will spot the issue.
Most likely is that the Windows machine is sending a different format of
username e.g. DOMAIN\user, so whatever database you're doing a lookup
for the password or hash - SQL, LDAP, files - isn't matching. But that's
a guess - post the full debug.
--
Message: 7
Date: Mon, 23 Sep 2013 13:19:04 -0400 (EDT)
From: paul trader flip...@igolinux.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: pap always returns noop for windows dialup authentication
Message-ID:
alpine.DEB.2.02.1309231310440.7633@soundgarden.localdomain.local
Content-Type: TEXT/PLAIN; charset=US-ASCII
eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:
PM:It's difficult to say, because the debug you sent has all the useful
PM:bits trimmed out - like the original packet, and the full module
PM:processing chain.
hi phil - ok, here's the full debug for a successful request:
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37,
length=133
User-Name = test
User-Password = testing
User-Password = testing
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
NAS-Port = 2561
Acct-Session-Id = 167773864
Service-Type = Login-User
Calling-Station-Id = xx
Called-Station-Id = xxx
NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up
Re: pap always returns noop for windows dialup authentication
On 23/09/13 17:33, paul trader wrote: am i doing something glaringly wrong, or just going plain crazy? It's difficult to say, because the debug you sent has all the useful bits trimmed out - like the original packet, and the full module processing chain. Send a full debug, and odds are someone will spot the issue. Most likely is that the Windows machine is sending a different format of username e.g. DOMAIN\user, so whatever database you're doing a lookup for the password or hash - SQL, LDAP, files - isn't matching. But that's a guess - post the full debug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 01:19 PM, paul trader wrote: eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. You still haven't sent the full debug. hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 So there's your answer, in the successful case it matched the entry for text on line 1, on the failed case it didn't match. So either you're not using the same users file (a full debug would have told us that) or you've got some criteria set for the test entry which isn't being matched. Also, you said you were moving from v1 to v2, you can't just copy v1 configs over, they're different, hope you weren't doing that. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap always returns noop for windows dialup authentication
hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box
w/ all latest updates, i installed freeradius v2, added one username and
password to /etc/raddb/users:
test Cleartext-Password := testing
and the radtest command-line authentication works. i then added one
client for our blade server to /etc/raddb/clients.conf:
client x.x.x.x {
secret = x
shortname = 3coms
}
substituting the correct ip and secret for the x's.
testing from my linux box w/ a modem, authentication works. output from
radiusd -X shows all is well, my linux box receives an ip address and dns
servers. relavant -X debug output shows:
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
however, when trying to authenticate from a windows box, authentication
fails. every time. i've tried it from a windows xp machine and 2 windows
7 machines. the debug output always says:
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
i've been over and over everything a dozen times, have tried changing the
windows dialup security settings to use pap only, and also have tried
adding the following line to the users file:
Auth-Type = PAP
even though everything i've read said not to do that. still doesn't work.
the only changes i've made to the default installation are to the users
and clients.conf files. i have spent hours searching the internet for a
similar problem/solution and come up empty. windows boxes will not
authenticate, pap always returns noop, and the user is rejected.
am i doing something glaringly wrong, or just going plain crazy?
regards, paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:
PM:It's difficult to say, because the debug you sent has all the useful
PM:bits trimmed out - like the original packet, and the full module
PM:processing chain.
hi phil - ok, here's the full debug for a successful request:
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37,
length=133
User-Name = test
User-Password = testing
User-Password = testing
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
NAS-Port = 2561
Acct-Session-Id = 167773864
Service-Type = Login-User
Calling-Station-Id = xx
Called-Station-Id = xxx
NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 37 to x.x.x.x port 1812
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 37 with timestamp +676
and here's the full output of a failed request:
Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35,
length=121
User-Name = test
User-Password = testing
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
NAS-Port = 2561
Acct-Session-Id = 167773862
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = xx
Called-Station-Id = xxx
NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 35 to 64.214.93.3 port 1812
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +361
from what i can see, the successful request finds the user's entry in the
user table, but the failed request doesn't (and uses DEFAULT instead).
but the usernames passed in seem to be the same. i don't know, we've used
freeradius for years and this is the 1st time i'm having a problem.
weird.
regards, paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 101, Issue 50
On Mon, 23 Sep 2013 at 18:49, Rui Ribeiro opined: RR:Your not crazy for sure. The problem authenticating with Windows boxen RR:is that they only support MSCHAPv2… kudos to Microsoft. hi rui - thanks for that, although my family and co workers may disagree! according to this wiki faq entry: http://wiki.freeradius.org/guide/faq#How-do-I-make-Windows-XP-clients-use-only-PAP-%28Not-CHAP%29 it's possible to force ms to use pap. somehow, though, after reading another reply to my post, i'm getting the feeling ms clients are munging something in the username because it's not being found in the users file. regards, paul- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Authentication
Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 02:07 PM, paul trader wrote: On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? No. It means all the output from radiusd -X. Yes, that might seem like a lot but it contains useful information. But before you do send it to this list see below. or are you looking for the startup output as well? i only included the output for the particular requests. That's not the full debug is it? :-) JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. You have all the information you need to debug your problem. It does require reading the debug output carefully. But you should really try to do that yourself first. As a said earlier, verify you're reading the exact same users file in both cases (the debug output will tell you what files are being read), If they are then look at your users file and determine why the user name is not matching, there is nothing magic about it, it should be straight forward. Still stumped? Then come back to the list for help. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
paul trader wrote: i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. Well, there's no magic. If the users file entry doesn't match, it's because the User-Name isn't test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
Hey I wanted to say thanks for the tips! I convinced the peers that it was not a good idea to allow auto certificate acceptance and to just have the clients accept it when the new certificate went online. Cheers, - Trevor On Thu, Sep 12, 2013 at 3:46 PM, Brian Julin bju...@clarku.edu wrote: Mathieu wrote: At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. That is promising, but I hope this does not become a case of Oh, there's an app for that basic system function versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On Mon, 23 Sep 2013 at 14:42, John Dennis opined:
JD:You have all the information you need to debug your problem. It does
JD:require reading the debug output carefully. But you should really try
JD:to do that yourself first. As a said earlier, verify you're reading the
JD:exact same users file in both cases (the debug output will tell you
JD:what files are being read), If they are then look at your users file
JD:and determine why the user name is not matching, there is nothing magic
JD:about it, it should be straight forward. Still stumped? Then come back
JD:to the list for help.
hi john - thanks for the help. however, i've read the debug output about
50 thousand times and am just not seeing what is causing the problem,
other than it not finding the username in the /etc/raddb/users file when
trying to authenticate from a windows box. i mean, the debug output from
the authentication request shows the username to be test and there's
clearly a user named test in the users file. every place in the debug
output where it lists the username it's test. there doesn't seem to be
any domain prepended to it.
when starting the server, the debug output shows the file 'modules/files'
is being instantiated:
Module: Instantiating module files from file /etc/raddb/modules/files
files {
usersfile = /etc/raddb/users
acctusersfile = /etc/raddb/acct_users
preproxy_usersfile = /etc/raddb/preproxy_users
compat = no
}
and the user/password is in the /etc/raddb/users file. if it weren't then
the linux authentication requests wouldn't be working either, right?
i'm not trying anything complicated. this setup is not using ldap, active
directory, and it's not talking to a database. it's just supposed to be
reading a plain-text username and password from the users file.
here's the full debug output:
[root@ikano raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct
3 2012 at 01:22:51
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/clients.conf.swave
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file
Re: pap always returns noop for windows dialup authentication
On 23/09/2013 18:19, paul trader wrote: hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 Versus and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 The two request look very similar, but you've x.x.x.x'ed out some data (grr...). Whatever you've X'ed out, one request is matching on line 1 of the users file, one on line 172, so they're obviously different. Carefully examine the two entries on line 1 and 172, determine what's different, examine the unredacted data in the packets, and correct it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Authentication
--Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . arvind...@gmail.com wrote: Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
