HELP: Windows IAS / FreeRADIUS Proxy problem
Can anybody help please? We use a FreeRADIUS proxy for authenticating DSpace with MS AD via MS IAS Our ITNS team have just rebuilt the IAS server after it suffered a hardware failure failed and since the rebuild it is now rejecting FreeRADIUS proxy requests. IAS will still respond to my Moodle PHP RADIUS authentication module, but since the rebuild is rejecting authentication requests from the FreeRADIUS proxy (yes the new shared secret is correct and I'm logging on with the same id to both systems :) I'm using MSCHAP for authentication with FreeRADIUS. I am wondering if the problem could be to do with http://technet.microsoft.com/en-us/library/cc786978.aspx#BKMK_5 ? Comments/suggestions very gratefully received :))) Thanks Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - reserved characters in shared secret?
Hi I've just been doing some research on the net and found this link on the GNU radius client reference page: http://www.gnu.org/software/radius/manual/html_chapter/radius_13.html#SEC262 It looks as if the radtest client has reserved characters. Does anyone know if this applies to shared secrets with the Freeradius server as well??? Thanks Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - reserved characters in shared secret?
Hi Thanks once again for all the advice :-) Does anyone know if there some characters that are reserved i.e cannot be used in secret keys with a freeradius server. If so what are they? I've been experimenting with the radtest client and the freeradius server using local unix validation with interesting results. 1) If I use a secret key (16+ characters and the same key in both the radtest client and freeradius clients.conf) that contains pure alpha characters the key is accepted and authorisation is successful. 2) If I use a secret key (similar to the one set on the IAS server) containing characters such as $\[ then the key is rejected and authorisation is unsuccessful. I have tried enclosing the key in single and double quotes, but the key is still rejected. Hopefully getting nearer to a solution... Thanks very much Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Freeradius as a proxy to Windows IAS - reserved
Brilliant Thanks Claudia :-))) Putting the shared secret in single quotes 'se\cret' in radclient and in double quotes with the backslash escaped in clients.conf and proxy.conf se\\cret worked fine with the radtest and what's more this now works too: Linux VLE ---FreeRadiusMicrosoft IAS Thank-you !!! Clive Message: 5 Date: Wed, 1 Aug 2007 13:26:35 +0300 From: Claudiu Filip [EMAIL PROTECTED] Subject: Re[2]: Freeradius as a proxy to Windows IAS - reserved characters in shared secret? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi clive, Wednesday, August 1, 2007, 11:10:41 AM, you wrote: 2) If I use a secret key (similar to the one set on the IAS server) containing characters such as $\[ then the key is rejected and Character Escape from Alcatraz, a classic movie with Clint Eastwood.. Be careful with character escaping and bash cli (always use single quotes to pass to radtest what you want). Also avoid ${foo} as a secret client 127.0.0.1 { secret = \044{prefix} } radtest gigi kent 127.0.0.1 1 '/radiusd' = OK!! ($prefix = /radiusd) client 127.0.0.1 { secret = \\testing123 } radtest gigi kent 127.0.0.1 1 '\testing123' = OK radtest gigi kent 127.0.0.1 1 \testing123 = OK (because bash does not expand \t) radtest gigi kent 127.0.0.1 1 \\testing123 = OK (because bash expands \\t to \t) radtest gigi kent 127.0.0.1 1 '\\testing123' = NOT ok client 127.0.0.1 { secret = $\[ } radtest gigi kent 127.0.0.1 1 '$[' = OK client 127.0.0.1 { secret = $\\[ } radtest gigi kent 127.0.0.1 1 '$\[' = OK Have fun! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS
Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. I have been able to successfully validate login to Dspace against the FreeRADIUS server when authentication is carried out against the unix account files /etc/passwd and /etc/shadow on the local machine. However, I have been unsucessful in validating DSpace login against the IAS server with Freeradius is acting as a proxy. We also use the Moodle VLE running on the same Linux box as DSpace and Freeradius, which has been using a PHP module to successfully validate against the IAS server using the mschapv2 protocol for several years. As part of debugging I decided to try pointing Moodle at the Freeradius proxy instead of directly at IAS. I append the log trace resulting from this below. Dspace, Moodle and Freeradius are on 10.200.0.14 Windows IAS is on 10.200.0.2 It suggests to me that the shared secrets are wrong, but I've double checked them and they are identical. Any suggestions very greatfully received :-) Dspace, Moodle and Freeradius are on 10.200.0.14 Windows IAS is on 10.200.0.2 Thanks very much Clive [EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -sfxxyz -l stdout radlog [EMAIL PROTECTED] raddb]# cat radlog Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 10.200.0.14 IP address [10.200.0.14] main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null =
Re: Freeradius as a proxy to Windows IAS (Peter Nixon)
Hi Peter Thanks for the prompt reply. The Windows IAS server is working fine and I have been successfully authenticating against it using Moodle/PHP on the Linux server for several years. I've put the Freeradius server in between Moodle and IAS purely to test out my proxing configuration and then authentication fails despite the shared secrets being identical. This is the response from the IAS server (10.200.0.2) as received by the Freeradius acting as a proxy: Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=236 Received Access-Accept packet from 10.200.0.2:1812 with invalid signature (err=2)! (Shared secret is incorrect.) Server rejecting request 0. Are there any characters (e.g. \) which must not be used in a shared secret with a Freeradius server? Best wishes Clive On Tue 31 Jul 2007, Clive Gould wrote: Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. Well, I would suggest you solve this problem first. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. FreeRADIUS is not magic... Fix the IAS server and the FreeRADIUS bit should just work.. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - Solved!
Hi everyone Please ignore my postings about problems with IAS authentication. I have just read this in the FAQ: FreeRADIUS is limited to 16 characters for the shared secret. The shared secret on our IAS server is 25 characters long :-( Thanks anyway Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - not solved after all :-(
Hi everyone Thanks for all the help and advice so far :-) I have installed freeradius 1.1.7 and get the appended message when I try to use it as a proxy between a Linux/Moodle/PHP radius client and a Windows IAS server. The shared secrets are definitely the same. The Linux/Moodle/PHP radius client authenticates directly with the Windows IAS server without any problems, but it will not authenticate with the freeradius proxy in between! I need a working freeradius proxy. Help... Clive Sending Access-Request of id 0 to 10.200.0.2 port 1812 NAS-Identifier = vle.bromley.ac.uk NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 127.0.0.1 User-Name = [EMAIL PROTECTED] MS-CHAP2-Response = removed from message MS-CHAP-Challenge = removed from message NAS-IP-Address = 10.200.0.14 Proxy-State = 0x3832 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=235 Received Access-Accept packet from client 10.200.0.2 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS as proxy to Windows IAS
Hi I'd be grateful to hear from anyone out there who has got Freeradius (on a Linux box) running as a proxy server successfully validating usernames and passwords against a Windows IAS server using the MSChapv2 protocol. I have the Freeradius server up and running on CentOS 4.5, but can't get it to validate against the IAS server successfully. Please feel free to contact me off list. Thanks in advance. Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html