Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
OK guys, I've managed to get things working... It was a samba issue as mentioned before, I've had to include following line in smb.conf: winbind forcesamlogon = true took a little while googling but first of all my freeradius server was configured correctly... Thanks all for your time Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3389190.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi Alan, Thanks for quick reply I have read the log several times however nothing points me to the right direction...thats why I posted a question here... when I use usern...@domain.com I get access-reject as ntlm authentication fails so from this point its working ok I guess. Also I dont think its a certificate problem as I've got same results with linux / windows 7 clients. From the debug I see ntlm authentication went OK then EAP session does not finish, but why this is happening? Do you think I am really facing the certificate compatibility problem? Even its working fine with freeradius 1.1.7? I've tried to create a new one but same results... Or have I missed anything else? Sorry FR 2.x.x is still new to me Thanks Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3387353.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Pretty new to FR as well but from what it looks like to me is your using Workstation login not user login. The portion [suffix] No '@' in User-Name = host/W400210.interoute.com, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 198 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP looks like your supplicant is sending workstation logins and your LDAP server is rejecting them. I don't know though, I am not a big log reader, I skim over them to find the error, I really need to get into them more:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 16, 2011 at 1:38 AM, in message 1297849120978-3387353.p...@n5.nabble.com, lucky79 lukas.hofric...@interoute.com wrote: Hi Alan, Thanks for quick reply I have read the log several times however nothing points me to the right direction...thats why I posted a question here... when I use usern...@domain.com I get access-reject as ntlm authentication fails so from this point its working ok I guess. Also I dont think its a certificate problem as I've got same results with linux / windows 7 clients. From the debug I see ntlm authentication went OK then EAP session does not finish, but why this is happening? Do you think I am really facing the certificate compatibility problem? Even its working fine with freeradius 1.1.7? I've tried to create a new one but same results... Or have I missed anything else? Sorry FR 2.x.x is still new to me Thanks Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3387353.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi Alan, my previous config is for FR 1.x, now I want to use FR 2.1.x so I dont think I can use same config files as there are some differences between FR 1 2, right? Its really strange as I've tried to build the system on FC10 last year already - configured from scratch but now with FC14 still facing the same problem which I couldn't solve yet. Problem I have with FR1 on FC8 is that sometimes (randomly) the daemon hangs and need to be restarted (its a VM running on ESX) so I was thinking to upgrade to FR2 because if that, also FC8 is already quite old distribution... Will try the GIT release as suggested.. thanks for now Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3385839.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
: Setting User-Name to host/W400210.interoute.com Sending tunneled request EAP-Message = 0x02f600551a02f6005031725e21a5376765a7fd43620480eb763b6a5b56a2f5eab6d72234ec6efdf4c164d03e9ea01cd22a1400686f73742f573430303231302e696e7465726f7574652e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = host/W400210.interoute.com State = 0x2f3b45522fcd5ffaf0daaa4d5068ce69 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = host/W400210.interoute.com, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 246 length 85 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/W400210.interoute.com [mschap] Told to do MS-CHAPv2 for host/W400210.interoute.com with NT-Password [mschap]expand: %{mschap:NT-Domain} - interoute [mschap]expand: --domain=%{%{mschap:NT-Domain}:-INTEROUTE} - --domain=interoute [mschap]expand: --username=%{mschap:User-Name:-None} - --username=W400210$ [mschap] mschap2: d5 [mschap] Creating challenge hash with username: host/W400210.interoute.com [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=e0f779583568ced2 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=6a5b56a2f5eab6d72234ec6efdf4c164d03e9ea01cd22a14 Exec-Program output: NT_KEY: 7AABD556DB5C9B2B59B26FDDBEF05A7E Exec-Program-Wait: plaintext: NT_KEY: 7AABD556DB5C9B2B59B26FDDBEF05A7E Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01f700331a03f6002e533d36334643413845364131374144323831464430364342343130373237353139413233364537433744 Message-Authenticator = 0x State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01f700331a03f6002e533d36334643413845364131374144323831464430364342343130373237353139413233364537433744 Message-Authenticator = 0x State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 122 to 172.31.183.1 port 2048 EAP-Message = 0x01f7005b190017030100509b7087b2a112825ea5aa08f802b90731b5f46e59349a2cdedc81a89f4103967283ba2f8990331ecb9ec7535a4f77b110e189f58f6162dbdc9a713a14d562f0f4fa52f6838fccc6a9be5003515e0b1263 Message-Authenticator = 0x State = 0x2e4eb3ac29b9aa99635005e47464e6cc Finished request 12. Going to the next request Waking up in 1.4 seconds. Cleaning up request 0 ID 110 with timestamp +9 Cleaning up request 1 ID 111 with timestamp +9 Cleaning up request 2 ID 112 with timestamp +9 Cleaning up request 3 ID 113 with timestamp +9 Cleaning up request 4 ID 114 with timestamp +9 WARNING: !! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3385843.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
: !! WARNING: !! EAP session for state 0x19e1d7f91e2fcef3 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3385923.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
lucky79 wrote: complete debug here: If you're not going to read it, then I don't see why you're asking questions here. The debug output contains instructions for solving the problem. Read it, and follow the instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hello everyone, is there any progress resolving this issue? I have samba 3.5.6 on FC14 and have the SAME problem like I've had with FC9/10, Freeradius2 and samba included with distribution. The problem is I cant rollback to older Samba version as it does not support Windows 2008R2 domain Also I've got one pointI am running Fedora 8 with freeradius 1, with Samba 3.5.3 and radius is working fine for my wireless clients but I wanted to use freeradius 2 on newer Fedora distros - cant make it working, spent a lt of time with this and still stucked on same issue like described above. Anyone has a suggestion pls? (Yes I have included the XP extensions - same certificate working OK with freeradius 1 and samba 3.5.3 on MS clients) Thanks! Lukas MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01f700331a03f6002e533d363346434138453641313741443238314644303643423431 30373237353139413233364537433744 Message-Authenticator = 0x State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01f700331a03f6002e533d363346434138453641313741443238314644303643423431 30373237353139413233364537433744 Message-Authenticator = 0x State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 122 to 172.31.183.1 port 2048 EAP-Message = 0x01f7005b190017030100509b7087b2a112825ea5aa08f802b90731b5f46e59349a2cde dc81a89f4103967283ba2f8990331ecb9ec7535a4f77b110e189f58f6162dbdc9a713a14 d562f0f4fa52f6838fccc6a9be5003515e0b1263 Message-Authenticator = 0x State = 0x2e4eb3ac29b9aa99635005e47464e6cc Finished request 12. Going to the next request Waking up in 1.4 seconds. Cleaning up request 0 ID 110 with timestamp +9 Cleaning up request 1 ID 111 with timestamp +9 Cleaning up request 2 ID 112 with timestamp +9 Cleaning up request 3 ID 113 with timestamp +9 Cleaning up request 4 ID 114 with timestamp +9 WARNING: !! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD- problem-tp2780544p3384416.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi, first off, i dont think this is a SAMBA issue...thats just me though - the SAMBA issue manifests itself in the authentication phase where ntlm_auth blows up (or rather is a damp squib) is there any progress resolving this issue? I have samba 3.5.6 on FC14 and have the SAME problem like I've had with FC9/10, Freeradius2 and samba included with distribution. The problem is I cant rollback to older Samba version as it does not support Windows 2008R2 domain using 3.0.33 with 2008R2 here - I'd be very suprised if anything released after that version didnt work with 2008R2 !! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! is your config on the new distro the same as that on the old distro? there really is no reason why you cant just clone/copy the configs if its the same version of FR! I'm wondering if something else hasnt been enabled/checked here. either that of its pointing to an OpenSSL issue - which would be nice (not) 2.1.11 has some extra tweaks in the PEAP code - might try the GIT release just to check? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Alan Buxey wrote: first off, i dont think this is a SAMBA issue...thats just me though - the SAMBA issue manifests itself in the authentication phase where ntlm_auth blows up (or rather is a damp squib) Sometimes ntlm_auth returns the *wrong* results, and only the client PC knows that they're wrong. In that case, the same thing happens. The client goes huh? and drops the connection part way through. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - AD Disabled
Hi, Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. distro package updates will often blat such files - did the server recently get a SAMBA update? if so, then the post-install section changes the permissions of that link directory. everyone in our team here is aware of that - our patch notificaton system has big warning notices at the top of any update notifications so as to ensure that the yum/up2date/apt-get process doesnt just get done blindly. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP - AD Disabled
Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Have you checked the certificate? That's one major difference. ntlm-auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - AD Disabled
On 25/06/10 14:21, Nathan McDavit-Van Fleet wrote: Okay, I’ve had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the “PEAP-AD” portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven’t found any interesting log information. You just get a “Login incorrect” when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Permissions? Including unix perms on the winbind socket, and perhaps SELinux labelling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. Thanks, Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Danner, Mearl Sent: Friday, June 25, 2010 9:34 AM To: FreeRadius users mailing list Subject: RE: PEAP - AD Disabled Have you checked the certificate? That's one major difference. ntlm- auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Wednesday, April 14, 2010 9:44 AM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD Sorry Guys, Here is some sanitized output of the debug. It is what I believe is two attempts, LEAP and PEAP. Regards, Nathan Van Fleet -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Garber, Neal Sent: Tuesday, April 13, 2010 5:55 PM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD I attached the logs for freeradius -X The logs you attached just show the startup output, not an actual request that was rejected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
hi, the error is seen with near bottom [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for username with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect have you got ...i dunno... 'auto_header = yes' in your pap module? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hi, I did in fact have that enabled. Should I have it disabled or enabled? -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, April 14, 2010 3:00 PM To: FreeRadius users mailing list Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD hi, the error is seen with near bottom [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for username with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect have you got ...i dunno... 'auto_header = yes' in your pap module? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Here is the log for it without auto header. Regards, -Nathan ++- elsif (outer.NAS-IP-Address == 132.205.198.43) returns ok ... ++skipping elsif for request 30: Preceding if was taken ... skipping ++elsif for request 30: Preceding if was taken [expiration] returns ++noop [logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmcdavit with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [nmcdavit] (from client wireless-lwapp-bench-wlc port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 55 to 132.205.198.43 port 32770 EAP-Message = 0x010a002b190017030100207df23a230dcaee583fabd44fedb5cc15e276675fa5d9a5ad2720 eb869a812361 Message-Authenticator = 0x State = 0x1e032ffe160936d2d9627494ce41a8f0 Finished request 30. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 132.205.198.43 port 32770, id=56, length=233 User-Name = nmcdavit Calling-Station-Id = 00-26-08-E8-67-42 Called-Station-Id = 00-24-97-F2-89-40:ConcordiaPEAP NAS-Port = 5 NAS-IP-Address = 132.205.198.43 NAS-Identifier = bench-wlc Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 268 EAP-Message = 0x020a002b19001703010020ebc4657c1bed6e0a992ffc4f1dd2ca5ede4739fd6dd2d73825bb 6feb5cdd96ab State = 0x1e032ffe160936d2d9627494ce41a8f0 Message-Authenticator = 0xf0b7d88f63be8bdd1b466c976efdf519 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = nmcdavit, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [nmcdavit] (from client wireless-lwapp-bench-wlc port 5 cli 00-26-08-E8-67-42) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - nmcdavit attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Wednesday, April 14, 2010 4:16 PM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD Hi, I did in fact have that enabled. Should I have it disabled or enabled? -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, April 14, 2010 3:00 PM To: FreeRadius users mailing list Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD hi, the error
Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hi, Here is the log for it without auto header. !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! map Cleartext-Password to the attribute in LDAP - been following a FR 1.x guide? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hello, I'm trying to get Freeradius 2.1.7 working on Redhat. I had previously gotten PEAP working with ntlm_auth using the walk-through on deployingradius.com on a Debian machine. However, it was version 2.0.7 so things have changed quite a bit in the config files. In the new walkthrough I noticed that the ntlm_auth definition is supposed to be its own module, even though there is still the commented out example inside the mschap module. The new walkthrough does not mention modifying the mschap module at all so I wonder which place I should have the config. I tried with it just in mschap, just in its own module, and both. So far I have not be successful in enabling the AD feature on my server. I tested ntlm_auth directly and it works perfectly. Samba and everything else is all good, I got TTLS and the users files authenticating well as well (so my cert is good and TLS is good). So it appears as if I'm missing something in my Freeradius configs that specifically has to do with PEAP/MSCHAP/AD. Thanks, -Nathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hi, I tested ntlm_auth directly and it works perfectly. Samba and everything else is all good, I got TTLS and the users files authenticating well as well (so my cert is good and TLS is good). So it appears as if I’m missing something in my Freeradius configs that specifically has to do with PEAP/MSCHAP/AD. radiusd -X ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
I attached the logs for freeradius -X -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, April 13, 2010 1:55 PM To: FreeRadius users mailing list Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD Hi, I tested ntlm_auth directly and it works perfectly. Samba and everything else is all good, I got TTLS and the users files authenticating well as well (so my cert is good and TLS is good). So it appears as if I’m missing something in my Freeradius configs that specifically has to do with PEAP/MSCHAP/AD. radiusd -X ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30 2009 at 13:47:58 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/ldap_Concordia including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 512000 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes
RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
I attached the logs for freeradius -X The logs you attached just show the startup output, not an actual request that was rejected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Friday, February 13, 2009 4:18 PM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Mike Loosbrock wrote: Check the versions of your samba packages. I'm running Debian and the exact same FreeRADIUS configuration works with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such that the mschap module returns success, but the very last EAP-MSCHAPv2 challenge sent by the server causes the supplicant (both Windows and OSX) to bail. There's apparently something wrong with the NT_KEY returned by ntlm_auth... Ouch. Samba 3.2.8 is out, so that might fix the issue. If not, we'll have to raise it as a bug with the Samba people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Ok I can confirm it now. I went back to samba 3.0.34 on my Fedora 10 machine and it now works. It's definitely a samba 3.2 issue. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Monday, February 16, 2009 11:04 AM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi, Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works. is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Both Fedora 9 and 10. Fedora jumped up to the samba 3.2 line with version 9. If you want it to work in 9 or 10 you have to use an older version of samba. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Monday, February 16, 2009 11:04 AM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi, Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works. is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
On Feb 12, 2009, at 8:06 PM, Casartello, Thomas wrote: I have exactly the same problem with Fedora 9 and 10 only. It works perfectly fine in Fedora 8 with the exact same configuration. I have spent hours trying to fix this, and could not figure it out. Check the versions of your samba packages. I'm running Debian and the exact same FreeRADIUS configuration works with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such that the mschap module returns success, but the very last EAP- MSCHAPv2 challenge sent by the server causes the supplicant (both Windows and OSX) to bail. There's apparently something wrong with the NT_KEY returned by ntlm_auth... Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Mike Loosbrock wrote: Check the versions of your samba packages. I'm running Debian and the exact same FreeRADIUS configuration works with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such that the mschap module returns success, but the very last EAP-MSCHAPv2 challenge sent by the server causes the supplicant (both Windows and OSX) to bail. There's apparently something wrong with the NT_KEY returned by ntlm_auth... Ouch. Samba 3.2.8 is out, so that might fix the issue. If not, we'll have to raise it as a bug with the Samba people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. here is debug output: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 10.6.0.0/16 { require_message_authenticator = no secret = secret shortname = cisco } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
andrey.trubni...@unicreditgroup.ru wrote: Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. ... Sending Access-Challenge of id 130 to 10.6.0.86 port 1645 EAP-Message = 0x010a004a1900170301003f7201bd50ad95ad02eed7b8c10e950ce1d0858a8d2e64401635f1f270813682833ee111b5a1eb2db22fd25daf6a8fea82236d0ff920182b9e3325150deefeeb Message-Authenticator = 0x State = 0x9c8a80f59b809961300b089b526f445b Finished request 7. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 123 with timestamp +51 Read eap.conf. Complete documentation is there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
I have exactly the same problem with Fedora 9 and 10 only. It works perfectly fine in Fedora 8 with the exact same configuration. I have spent hours trying to fix this, and could not figure it out. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of andrey.trubni...@unicreditgroup.ru Sent: Thursday, February 12, 2009 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. here is debug output: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 10.6.0.0/16 { require_message_authenticator = no secret = secret shortname = cisco } client localhost { ipaddr = 127.0.0.1
Re: freeradius -peap ad/ldap
Sam Schultz wrote: On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius -peap ad/ldap
DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Once you configure the eap module, it tends to take care of itself. Setting Auth-Type Autz-Type are for when you want to force a user (or all users, as with DEFAULT entries) to be authorized authenticated by the respective modules. If you're purely using ldap for authorization authentications, you wouldn't shouldn't need to set either one. I know in my case I had to set access_attr_used_for_allow to 'no' because I wasn't using the ldap schema extension packaged with freeradius. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on accredited degrees with 150K/ year potential http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius -peap ad/ldap
Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira [EMAIL PROTECTED] wrote: Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do You really should upgrade that. If I recall correctly, there were some nasty bugs in the early 1.0.x builds. something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. We were all new at some point, some people just forget that :) i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? You could try using one of the SQL modules. Unlike ldap, the sql modules only retrieve attributes from an sql table, and sets the attributes for use by later modules (or freeradius, if the 'Auth-Type := Local' has been set) Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online doctorate degrees and make $250k/ year http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
If you read the FAQ is says that you can't do CHAP with LDAP. [speculation] But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. [/end speculation] In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kartthik Raghunathan Sent: Thursday, May 25, 2006 12:17 AM To: freeradius-users@lists.freeradius.org Subject: PEAP + AD Am trying to authenticate my windows supplicant (ie. XP with sp2) with peap against the windows 2000 AD. But in the error log i could see Accept-Reject error message. So i need a clarification here, is't necessary to get samba on with active directory to do PEAP + AD authentication. sorry for silly q? here ! -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + AD
Kartthik Raghunathan [EMAIL PROTECTED] wrote: Am trying to authenticate my windows supplicant (ie. XP with sp2) with peap against the windows 2000 AD. But in the error log i could see Accept-Reject error message. So i need a clarification here, is't necessary to get samba on with active directory to do PEAP + AD authentication. No. Read radiusd.conf for how to integrate FreeRADIUS with AD. Look for domain controller. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + AD
Chris Liles [EMAIL PROTECTED] wrote: But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller. In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD. What hooks are you talking about? The extensions for unix services? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 25, 2006 11:36 AM To: FreeRadius users mailing list Subject: Re: PEAP + AD Chris Liles [EMAIL PROTECTED] wrote: But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller. In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + AD
Chris Liles [EMAIL PROTECTED] wrote: What hooks are you talking about? The extensions for unix services? No. There are API's in Windows to catch password changes, and pass them through your own code. That code can then *also* write the password to a different part of the AD schema. For this to work, it requires: - someone to understand write the code - the code to run on *every* member of an AD forest - the AD schema to be updated to include the new ntpassword attribute - AD ACL's put in place to limit access to that attribute to FreeRADIUS - FreeRADIUS to be configured to look for that attribute. It shouldn't be hard, but convincing admins to change their AD schema, and run third-party code on their DC's is often hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html