Login incorrect (Home Server says so)... - But why?

uni at christiankraus.de uni at christiankraus.de
Wed Aug 6 09:40:11 CEST 2008


Dear group,

you obviously still know my old thread: http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-July/msg00091.html

I am using still freeradius 1.1.7
Well, the problem was not the foreign server which had the problems. It is kind of embarrassing to say: The reason was my access points. There was a setting, saying that each password should be transfered while being coded with md5. Although I don´t know why this had any influence on the clients with MSChapv2/PEAP or TTLS/PAP I removed the setting and voila it works.

So now, foreigner from other wanted enterprises can use our WLAN using their login credentials. So, the other way should also work. Do you know eduroam? The service we use is similar to this


Let´s look at my setup:

WLAN-accesspoints with SSID1 for local users-------------------------------------------------------------------------->Windows 2003 with IAS and active directory
same WLAN-accesspoints with SSID2 for foreign users---------------->myFreeRadiusServer------------->Windows 2003 with IAS and active directory
outside central server<------------------------------------------------------------->myFreeRadiusServer------------->Windows 2003 with IAS and active directory
outside central server<------------------------------------------------------------->someonesOtherRadiusServer1
outside central server<------------------------------------------------------------->someonesOtherRadiusServer2
...


So, my local users are able tu use SSID1 with 802.1X. They use PEAP with MSCHAPv2 to use the WLAN. No problem. It works.
Also, if they accidently use SSID2, which is for foreigners, they can use it. They login with "username at mydomain.com". Everything which ends with "@mydomain.de" is proxied from "myFreeRadiusServer" to the "Windows 2003 with IAS and active directory". This is also working without any problems.
Foreigners can use their credentials, e.g.: "username at someonesOtherdomain.com". This credentials are passed to "myFreeRadiusServer". Everything else, that doesn´t end "@mydomain.de" is passed to the "outside central server". There is a list which maps the other "@someonesOtherdomain.com" to the right "someonesOtherRadiusServers" So dozen of other servers. And from there the request is proxied to the corresponding "someonesOtherRadiusServer" which belongs to the right "@someonesOtherdomain.com"

What is working: I can use the "username at someonesOtherdomain.com" from a foreign enterprise to login and use the WLAN. No problem here. But the other way round doesn´t work. I asked a collegue from one of those foreign enterprises to test the login with "username at mydomain.com"

He gave me the following error message:

Mon Aug  4 17:19:57 2008 : Auth: Login incorrect (Home Server says so):
[username at mydomain.com] (from client CB-Access-Point-802.11 port 2 cli
00-1B-77-A4-7B-A2)


I don´t know where the problem is. Perhaps you can give me a hint?
 

Coming to my configuration files with changed IP addresses...:


-----------------------------------------------------------------------------
clients.conf:

client WLAN-IP-AP1 {
secret = oft36fW!
shortname = WLAN-AP1
nastype = other
}
...



client "outside central server"-IP {
secret = ASECRETPASSWORD
shortname = top-level-radius1
nastype = other
}

client "outside central backup server"-IP {
secret = ASECRETPASSWORD
shortname = top-level-radius1
nastype = other
}
-----------------------------------------------------------------------------
proxy.conf


realm mydomain.com {
type = radius
authhost = IAS-IP:1812
accthost = IAS-IP:1813
secret = anotherpass
#ldflag = round_robin1
nostrip
}


realm DEFAULT {
type = radius
authhost = outside central server:1812
accthost = outside central server:1813
secret = pass
nostrip
}

realm DEFAULT {
type = radius
authhost = outside central backup server:1812
accthost = outside central backup server:1813
secret = pass
nostrip
}

-----------------------------------------------------------------------------
users

DEFAULT, Realm == mydomain.com, FreeRADIUS-Proxied-To == IAS-IP
		User-Name = `%{User-Name}`,
		Fall-Through = yes,
		Auth-Type := EAP
DEFAULT, User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@.*$"
	Auth-Type := EAP



DEFAULT, User-Name =~ "$@$"
	 Auth-Type := EAP
DEFAULT Realm == NULL
	Auth-Type := Reject

-----------------------------------------------------------------------------







-----------------------------------------------------------------------------
eap.conf
Although it is not doing anything as I learned


	eap {

		timer_expire     = 60


		ignore_unknown_eap_types = yes


		cisco_accounting_username_bug = no


		md5 {
		}


		leap {
		}



		tls {
			private_key_password = pass
			private_key_file = /usr/src/freeradius/key.pem
			
			#${raddbdir}/certs/cert-srv.pem


			certificate_file = /usr/src/freeradius/freeradius-cert.pem
	

	
			CA_file = /usr/src/freeradius/chain.txt
			


			
			dh_file = ${raddbdir}/certs/dh
			random_file = ${raddbdir}/certs/random


		
			fragment_size = 1024

	
			include_length = yes



		}



		ttls {
	
			default_eap_type = mschapv2

			
			copy_request_to_tunnel = no


			use_tunneled_reply = yes
		}


		peap {
	
			default_eap_type = mschapv2

	
			copy_request_to_tunnel = no
			use_tunneled_reply = yes

		}


		mschapv2 {
		}
	}

-----------------------------------------------------------------------------

radiusd.conf, where I hardly changed anything. I commentec many things out...


prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct


confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd


log_file = /var/log/radius/radius.log
log_destination = files


libdir = /usr/lib/freeradius

pidfile = ${run_dir}/radiusd.pid



max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

bind_address = *
port = 0

hostname_lookups = no

allow_core_dumps = no

regular_expressions	= yes
extended_expressions	= yes

log_stripped_names = yes

log_auth = yes

log_auth_badpass = yes
log_auth_goodpass = yes

usercollide = no

lower_user = no
lower_pass = no

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
		max_attributes = 200

		reject_delay = 1

		status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

$INCLUDE  ${confdir}/clients.conf

snmp	= no
$INCLUDE  ${confdir}/snmp.conf

thread pool {
	
	start_servers = 5

	max_servers = 32

	min_spare_servers = 3
	max_spare_servers = 10

	max_requests_per_server = 0
}

modules {
		pap {
		auto_header = yes
	}


	chap {
		authtype = CHAP
	}

		pam {

		pam_auth = radiusd
	}


	unix {
		cache = no

				cache_reload = 600

				radwtmp = ${logdir}/radwtmp
	}

$INCLUDE ${confdir}/eap.conf

		mschap {

		use_mppe = yes

	
		require_encryption = yes


		require_strong = yes

		with_ntdomain_hack = no


	}

	

	realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_default = no
		ignore_null = no
	}


	realm suffix {
		format = suffix
		delimiter = "@"
		ignore_default = no
		ignore_null = no
	}


	realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_default = no
		ignore_null = no
	}


	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}	

	
	checkval {

		item-name = Calling-Station-Id

		check-name = Calling-Station-Id

		data-type = string

	
	}
	
	


	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints

				with_ascend_hack = no
		ascend_channels_per_line = 23


		with_ntdomain_hack = no


		with_specialix_jetstream_hack = no


		with_cisco_vsa_hack = no
	}

	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		preproxy_usersfile = ${confdir}/preproxy_users


		compat = no
	}


	detail {


		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d


		detailperm = 0600


	}


	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}


	$INCLUDE  ${confdir}/sql.conf


	
		radutmp {

		filename = ${logdir}/radutmp

		username = %{User-Name}

		case_sensitive = yes


		check_with_nas = yes		

		perm = 0600

		callerid = "yes"
	}


	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}


	attr_filter {
		attrsfile = ${confdir}/attrs
	}

		counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}

		sqlcounter dailycounter {
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = daily

		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"


	}

	sqlcounter monthlycounter {
		counter-name = Monthly-Session-Time
		check-name = Max-Monthly-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = monthly

		# This query properly handles calls that span from the
		# previous reset period into the current period but
		# involves more work for the SQL server than those
		# below
		# The same notes above about the differences between mysql
		# versus postgres queries apply here.
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

	}


	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}

		expr {
	}

		digest {
	}

		exec {
		wait = yes
		input_pairs = request
	}

		exec echo {
		
		wait = yes

				program = "/bin/echo %{User-Name}"

				input_pairs = request

				output_pairs = reply

			}



instantiate {

	exec


	expr


}


authorize {

	preprocess

	
	attr_filter

	chap


	mschap


	suffix

	eap


	files



	pap
}



authenticate {

	Auth-Type PAP {
		pap
	}


	Auth-Type CHAP {
		chap
	}

	Auth-Type MS-CHAP {
		mschap
	}

  
	unix




	eap
}



preacct {
	preprocess


	acct_unique


	suffix

	files
}


accounting {

	detail



	unix


	radutmp


}



session {
	radutmp


}


post-auth {


}

pre-proxy {

}


post-proxy {


	eap
}




More information about the Freeradius-Users mailing list