question re inner tunnel / virtual server
Hi *, i try to get a better grip in understanding the virtual server for inner eap tunnel. Please forgive if any of the following statements represents misunderstanding of concepts from my side. Which of the following statements describe the inner tunnel virtual server for EAP wrong / correct ? EAP: -The eap module can map tunneled requests to a virtual server ( inner tunnel ) - It knows where to communicate by freeradius reading the virtual servers configs in sites-enabled -So the Port configured for the inner tunnel virtual server (statement valid only for this inner tunnel VS) is only relevant wrt external for testing purposes in order to test correct freeradius config wrt EAP -freeradius handles the communication to the inner tunnel with the above mentioned mapping of the eap module. So in productive use there is no need to reference the Port for the inner tunnel ( except when proxying or using the test for EAP to check for a valid config ) -the main goal of the inner tunnel virtual server is to allow completely independent policies for outer / inner tunneled sessions. hope i did not fall for to many misunderstandings TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no authenticate step ...
hello *
i try to transfer a working configuration from an very old (1.x) freeradius
version to a more recent radius version:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010
at 21:14:10
My problem: after authenticate against ldap and auth-type = ldap is
set, no authorize step is done
the next step happening is trying the next entry from the users file
expected: authenticate with bind as user and password hash of the user
against ldap
here the snippet from debug log i assume relevant:
hu Apr 7 12:45:28 2011 : Info: [auth_log] expand: %t - Thu Apr 7
12:45:28 2011
Thu Apr 7 12:45:28 2011 : Info: ++[auth_log] returns ok
Thu Apr 7 12:45:28 2011 : Info: ++[mschap] returns noop
Thu Apr 7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = pilot1,
looking up realm NULL
Thu Apr 7 12:45:28 2011 : Info: [suffix] No such realm NULL
Thu Apr 7 12:45:28 2011 : Info: ++[suffix] returns noop
Thu Apr 7 12:45:28 2011 : Info: [ldap] performing user authorization for
pilot1
Thu Apr 7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional
expansion :-. See man unlang for details
Thu Apr 7 12:45:28 2011 : Info: [ldap] ... expanding second conditional
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: %{User-Name} -
pilot1
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=pilot1)
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: l=Berlin,dc=de,o=ABC-
l=Berlin,dc=de,o=ABC
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] attempting LDAP reconnection
Thu Apr 7 12:45:28 2011 : Debug: [ldap] (re)connect to 10.128.1.1:389,
authentication 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] bind as cn=Manager,o=ABC/xyz to
10.128.1.1:389
Thu Apr 7 12:45:28 2011 : Debug: [ldap] waiting for bind result ...
Thu Apr 7 12:45:28 2011 : Debug: [ldap] Bind was successful
Thu Apr 7 12:45:28 2011 : Debug: [ldap] performing search in
l=Berlin,dc=de,o=ABC, with filter (uid=pilot1)
Thu Apr 7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence
Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for check items in directory...
Thu Apr 7 12:45:28 2011 : Debug: [ldap] userPassword - Password-With-Header
== {MD5}hashvalueD1xtOw==- the sequence after the hashed pw astonishes
me, the D1xt0w
Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for reply items in directory...
Thu Apr 7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP
Thu Apr 7 12:45:28 2011 : Info: [ldap] user pilot1 authorized to use
remote access
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Apr 7 12:45:28 2011 : Info: ++[ldap] returns ok
Thu Apr 7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP
Thu Apr 7 12:45:28 2011 : Info: ++[eap] returns noop
... next line / match in users file is done next
...in the old config next step was authenticate
So clearly i do a mistake and have overlooked a neccessary config option
any hints where to look next ?
The hint to transfer a deprecated expression from users file to unlang
will be done when i succeed with auth
TIA
Micha
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: LDAP auth success / User reject
Hello *, Problem solved thx to Alans help -Find out what part of the configuration is setting Auth-Type := Reject -Look in the files configuration, and in the data in LDAP. The reject was the last default statement in the users file My problem was, that the patterns for both entries before failed. I resolved the reason, It was a Bug in the LDAP Tree of customer for this site, not noticed by me before. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No NAS Port seen ?
Hello * -is the error belwo caused by fault of the NAS -or a stupid mistake of mine within setup ? rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! -other attributes are sent correctly -device is a lancom 315-agn TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP auth success / User reject
hello * Szenario: freeradius auth via LDAP simple bind with user passwd / user name for a hot spot Used config works with two other setups of same environment Problem: simple bind returns ok then another module rejects the user Any hints where i should look ? Used Freeradius Version: FreeRADIUS Version 1.1.6 below debug output hu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module suffix returns noop for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: - authorize Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: performing user authorization for test1 Thu Nov 18 11:20:52 2010 : Debug: radius_xlat: '(uid=test1)' Thu Nov 18 11:20:52 2010 : Debug: radius_xlat: 'l=Stadt,dc=de,o=Organisationr' Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: attempting LDAP reconnection Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: bind as cn=LDAPADMIN,o=Customer/sharedsecret to 127.0.0.1:389 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: waiting for bind result ... Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: Bind was successful Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: performing search in l=Stadt,dc=de,o=Organisation, with filter (uid=test1) Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: Setting Auth-Type = ldap Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: user test1 authorized to use remote access Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module ldap returns ok for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module eap returns noop for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Nov 18 11:20:52 2010 : Debug: users: Matched entry DEFAULT at line 3 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module files returns ok for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module pap returns noop for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall: leaving group authorize (returns ok) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Found Auth-Type Reject Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Auth-Type = Reject, rejecting user Thu Nov 18 11:20:52 2010 : Debug: auth: Failed to validate the user. Thu Nov 18 11:20:52 2010 : Auth: Login incorrect: [test1/testpasswd] (from client wlanhsp port 0 cli 00:1e:c2:a3:4d:b line from users DEFAULT Called-Station-Id =~ .*:LIBRARY , Ldap-group == cn=city,cn=Groups,l=Stadt,dc=de,o=Organisation thx for any hints :-) I have anonymized the ldap Attributes Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: LDAP auth success / User reject
Alan, Use -X. You've added an additional -x, which makes the output harder to read. ok, understood, attached below Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Found Auth-Type Reject Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Auth-Type = Reject, rejecting user Well... something is setting that. Go find out what, and fix it. any hints, how to proceed to debug from where the Reject for rad_check_passwd is caused ? I checked ldap atributes and verified correctness of user passwd for simple bind with ldapsearch So i at last have exluded trivial errors like testing with a dn or wrong user password But now i d not see how to trace why the radius request comes back with reject lm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in l=Stadt,dc=de,o=Organisation, with filter (uid=test1) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user test11 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module files returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [test1/testpass] (from client wlanhsp port 0 cli 00:1e:c2:a3:4d:b3) TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Hello Alan, sorry, my fault :-) radclient saves my day, indeed i can send any attribute / value pair i like thanks for your help Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec: Wait=yes but no output defined
Hello *, radiusd -X in different places announces rlm_exec: Wait=yes but no output defined. Did you mean output=none? Will freeradius fall back internally to output=none without inserting this attribut / value in the config ? Or should i mandatory add output=none ? TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client / send NAS IP ?
Hello *, at the time beeing i have to use an old radius version for different reasons. freeradius-client-1.1.5-36 freeradius-devel-1.1.6-47 freeradius-1.1.6-47 freeradius-client-devel-1.1.5-36 freeradius-client-libs-1.1.5-36 for real logins at WLAN Hot Spot the DEFAULT NAS-IP-Address == 192.168.123.45 or DEFAULT Called-Station-Id =~ .*:MYSSID are part of the check ( via criteria in users ) is there a radtest client where i can send those attribute / value pairs intentionally ? else in my traces i will always see a refused as test result, since from localhost those parameters will not match Prio low, would just be nice for testing TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Alan, thx for answering at least the radclient of the installed version does not allow to add those attributes according to manpage if i read your hint right i should download an actual version and compile to get an radclient with enhanced abilities :-) TIA Micha - ursprüngliche Nachricht - Subject: Re: radius client / send NAS IP ? Date: Sa 25 Sep 2010 15:01:49 CEST From: Alan DeKokal...@deployingradius.com To: FreeRadius users mailing listlt;freeradius-users@lists.freeradius.orggt; Michael Arndt wrote: is there a radtest client where i can send those attribute / value pairs intentionally ? $ man radclient Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ursprüngliche Nachricht Ende - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd only starting with radiusd -X, but not as daemon via rc.freeradius
hello *, 1. i can start radiusd with a valid and working radiusd.config using radiusd -X in this case auth using e.g radtest or other clients is working and stable .. 2. without the -X option and as a service via rc.freeradius radiusd will start, but authentication against radius is not sucessful, e.g. using radtest ( cannot connect to ... ) as far as i understand, difference between both modes is, that without -X radiusd switches over from root to user radius after parsing all config files. So i assume a problem with a socket or else, but with strace i see no hint that gives me a clue any hints in which direction my debugging should go ... ??? System is an openSUSE 10.3 (i586) VERSION = 10.3 SW Package Versions: freeradius-devel-1.1.6-47.4 freeradius-client-1.1.5-36 freeradius-1.1.6-47.4 freeradius-client-libs-1.1.5-36 freeradius-client-devel-1.1.5-36 pam_radius-1.3.16-144 TIA Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
