HELP: Windows IAS / FreeRADIUS Proxy problem
Can anybody help please? We use a FreeRADIUS proxy for authenticating DSpace with MS AD via MS IAS Our ITNS team have just rebuilt the IAS server after it suffered a hardware failure failed and since the rebuild it is now rejecting FreeRADIUS proxy requests. IAS will still respond to my Moodle PHP RADIUS authentication module, but since the rebuild is rejecting authentication requests from the FreeRADIUS proxy (yes the new shared secret is correct and I'm logging on with the same id to both systems :) I'm using MSCHAP for authentication with FreeRADIUS. I am wondering if the problem could be to do with http://technet.microsoft.com/en-us/library/cc786978.aspx#BKMK_5 ? Comments/suggestions very gratefully received :))) Thanks Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - reserved characters in shared secret?
Hi I've just been doing some research on the net and found this link on the GNU radius client reference page: http://www.gnu.org/software/radius/manual/html_chapter/radius_13.html#SEC262 It looks as if the radtest client has reserved characters. Does anyone know if this applies to shared secrets with the Freeradius server as well??? Thanks Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - reserved characters in shared secret?
Hi Thanks once again for all the advice :-) Does anyone know if there some characters that are reserved i.e cannot be used in secret keys with a freeradius server. If so what are they? I've been experimenting with the radtest client and the freeradius server using local unix validation with interesting results. 1) If I use a secret key (16+ characters and the same key in both the radtest client and freeradius clients.conf) that contains pure alpha characters the key is accepted and authorisation is successful. 2) If I use a secret key (similar to the one set on the IAS server) containing characters such as $\[ then the key is rejected and authorisation is unsuccessful. I have tried enclosing the key in single and double quotes, but the key is still rejected. Hopefully getting nearer to a solution... Thanks very much Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Freeradius as a proxy to Windows IAS - reserved
Brilliant Thanks Claudia :-)))
Putting the shared secret in single quotes
'se\cret'
in radclient and in double quotes with the backslash escaped in
clients.conf and proxy.conf
se\\cret
worked fine with the radtest and what's more this now works too:
Linux VLE ---FreeRadiusMicrosoft IAS
Thank-you !!!
Clive
Message: 5
Date: Wed, 1 Aug 2007 13:26:35 +0300
From: Claudiu Filip [EMAIL PROTECTED]
Subject: Re[2]: Freeradius as a proxy to Windows IAS - reserved
characters in shared secret?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
Hi clive,
Wednesday, August 1, 2007, 11:10:41 AM, you wrote:
2) If I use a secret key (similar to the one set on the IAS server)
containing characters such as $\[ then the key is rejected and
Character Escape from Alcatraz, a classic movie with Clint Eastwood..
Be careful with character escaping and bash cli (always use single
quotes to pass to radtest what you want).
Also avoid ${foo} as a secret
client 127.0.0.1 { secret = \044{prefix} }
radtest gigi kent 127.0.0.1 1 '/radiusd' = OK!! ($prefix = /radiusd)
client 127.0.0.1 { secret = \\testing123 }
radtest gigi kent 127.0.0.1 1 '\testing123' = OK
radtest gigi kent 127.0.0.1 1 \testing123 = OK (because bash does
not expand \t)
radtest gigi kent 127.0.0.1 1 \\testing123 = OK (because bash
expands \\t to \t)
radtest gigi kent 127.0.0.1 1 '\\testing123' = NOT ok
client 127.0.0.1 { secret = $\[ }
radtest gigi kent 127.0.0.1 1 '$[' = OK
client 127.0.0.1 { secret = $\\[ }
radtest gigi kent 127.0.0.1 1 '$\[' = OK
Have fun!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS
Hi
Thanks for the replies to my posting yesterday.
Perhaps I can explain the situation more clearly. My goal is to
authenticate login to the digital repository DSpace against a Windows IAS
server. I do not have physical access to the IAS server and cannot change
it's shared secret. So far I have been unable to successfully authenticate
DSpace directly against the remote IAS server.
As a result of this I came up with the idea of setting up a Freeradius
proxy server running on the same Linux box as DSpace, which would act as a
proxy to the remote IAS server for authentication purposes in the hope
that this would work.
I have been able to successfully validate login to Dspace against the
FreeRADIUS server when authentication is carried out against the unix
account files /etc/passwd and /etc/shadow on the local machine. However, I
have been unsucessful in validating DSpace login against the IAS server
with Freeradius is acting as a proxy.
We also use the Moodle VLE running on the same Linux box as DSpace and
Freeradius, which has been using a PHP module to successfully validate
against the IAS server using the mschapv2 protocol for several years. As
part of debugging I decided to try pointing Moodle at the Freeradius proxy
instead of directly at IAS. I append the log trace resulting from this
below.
Dspace, Moodle and Freeradius are on 10.200.0.14
Windows IAS is on 10.200.0.2
It suggests to me that the shared secrets are wrong, but I've double
checked them and they are identical.
Any suggestions very greatfully received :-)
Dspace, Moodle and Freeradius are on 10.200.0.14
Windows IAS is on 10.200.0.2
Thanks very much
Clive
[EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -sfxxyz -l stdout radlog
[EMAIL PROTECTED] raddb]# cat radlog
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: bind_address = 10.200.0.14 IP address [10.200.0.14]
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null =
Re: Freeradius as a proxy to Windows IAS (Peter Nixon)
Hi Peter Thanks for the prompt reply. The Windows IAS server is working fine and I have been successfully authenticating against it using Moodle/PHP on the Linux server for several years. I've put the Freeradius server in between Moodle and IAS purely to test out my proxing configuration and then authentication fails despite the shared secrets being identical. This is the response from the IAS server (10.200.0.2) as received by the Freeradius acting as a proxy: Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=236 Received Access-Accept packet from 10.200.0.2:1812 with invalid signature (err=2)! (Shared secret is incorrect.) Server rejecting request 0. Are there any characters (e.g. \) which must not be used in a shared secret with a Freeradius server? Best wishes Clive On Tue 31 Jul 2007, Clive Gould wrote: Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. Well, I would suggest you solve this problem first. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. FreeRADIUS is not magic... Fix the IAS server and the FreeRADIUS bit should just work.. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - Solved!
Hi everyone Please ignore my postings about problems with IAS authentication. I have just read this in the FAQ: FreeRADIUS is limited to 16 characters for the shared secret. The shared secret on our IAS server is 25 characters long :-( Thanks anyway Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a proxy to Windows IAS - not solved after all :-(
Hi everyone Thanks for all the help and advice so far :-) I have installed freeradius 1.1.7 and get the appended message when I try to use it as a proxy between a Linux/Moodle/PHP radius client and a Windows IAS server. The shared secrets are definitely the same. The Linux/Moodle/PHP radius client authenticates directly with the Windows IAS server without any problems, but it will not authenticate with the freeradius proxy in between! I need a working freeradius proxy. Help... Clive Sending Access-Request of id 0 to 10.200.0.2 port 1812 NAS-Identifier = vle.bromley.ac.uk NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 127.0.0.1 User-Name = [EMAIL PROTECTED] MS-CHAP2-Response = removed from message MS-CHAP-Challenge = removed from message NAS-IP-Address = 10.200.0.14 Proxy-State = 0x3832 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=235 Received Access-Accept packet from client 10.200.0.2 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS as proxy to Windows IAS
Hi I'd be grateful to hear from anyone out there who has got Freeradius (on a Linux box) running as a proxy server successfully validating usernames and passwords against a Windows IAS server using the MSChapv2 protocol. I have the Freeradius server up and running on CentOS 4.5, but can't get it to validate against the IAS server successfully. Please feel free to contact me off list. Thanks in advance. Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
