FreeRadius & Heimdal Kerberos: I'm lost!
Ronni Feldt
rofe at one.com
Tue Oct 21 11:43:46 CEST 2008
Hi again,
I'm trying to get FreeRadius to work with Heimdal Kerberos, so I can use
it to authenticate my login on my HP-switch.
I have searched and read a lot on the internet but I can't find anything
useful, and now I am really lost.
########################################
My environment
########################################
Ubuntu Linux 8.04
FreeRadius 1.1.7-1build4
Heimdal-kdc 1.0.1-5ubuntu4
########################################
My configuration
########################################
###############
Server
###############
# Installed software and followed the configuration guide
apt-get install freeradius heimdal-kdc heimdal-kcm
# Configured Heimdal Kerberos
# Creating the database
kadmin -l
kadmin> init ONE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
# Add user to database; here rofe
kadmin> add rofe
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
rofe at ONE.COM's Password:
Verifying - rofe at ONE.COM's Password:
kadmin> exit
# Opened ports in firewall
kerberos 88 UDP Default configuration
kerberos 88 TCP Alternative configurations for usage with firewalls see
below
# Added DNS in /etc/hosts
127.0.0.1 rofe.one.com
# Test configuration
kinit rofe
klist rofe
kdestroy
# It works, I get a ticket.
# Making service principal 'radius' and keytab file used by the switch
kadmin -l
kadmin> add radius
# ext_keytab --keytab=<keytab-file> <principal>
kadmin> ext_keytab --keytab=/etc/krb5.keytab radius/rofe.one.com
# Edit /etc/freeradius/radiusd.conf to use Heimdal Kerberos
# Add the following lines in the authenticate section
Auth-Type Kerberos {
krb5
}
# Edit /etc/freeradius/radiusd.conf
# Add the following lines in modules section
krb5 {
# keytab containing the key used by rlm_krb5
keytab = /etc/krb5.keytab
# principal that is used by rlm_krb5
service_principal = radius/rofe.one.com
}
# Edit the /etc/freeradius/clients.conf
# Add the switch as a client
client 192.168.212.4 {
secret = 123456 # Secret also configured on the switch
- radius-server key <Unique Key>
shortname = ProCurve2650 # Hostname of the swich
nastype = other # Type of NAS (Radius Client)
}
#####
Now if I start FreeRadius with /usr/sbin/freeradius start -X and try to
login on the switch I get this:
# Output from FreeRadius -X startup #
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Kerberos
krb5: keytab = "/etc/krb5.keytab"
krb5: service_principal = "radius/rofe.one.com"
rlm_krb5: krb5_init ok
Module: Instantiated krb5 (krb5)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
#####
And when I try to login from HP-switch with:
user: rofe
password: 123456
# Output from FreeRadius -X when login attempted #
rad_recv: Access-Request packet from host 192.168.212.4:2841, id=59,
length=94
User-Name = "rofe"
User-Password = "123456"
NAS-IP-Address = 192.168.212.4
NAS-Identifier = "ProCurve2650"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Message-Authenticator = 0x4bb4032f84e185d55eb0f3683b0ab051
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_unix: [rofe]: invalid password
modcall[authenticate]: module "unix" returns reject for request 2
modcall: leaving group authenticate (returns reject) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 59 to 192.168.212.4 port 2841
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 59 with timestamp 48fd9cdd
Nothing to do. Sleeping until we see a request.
#####
This says that my realm is not found at all:
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
And when I try to login from HP-switch with:
user: rofe at ONE.COM
password: 123456
# Output from FreeRadius -X when login attempted #
rad_recv: Access-Request packet from host 192.168.212.4:2841, id=58,
length=102
User-Name = "rofe at one.com"
User-Password = "123456"
NAS-IP-Address = 192.168.212.4
NAS-Identifier = "ProCurve2650"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Message-Authenticator = 0x56710301a172a54c62ae1441046e0b4e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "one.com" for User-Name = "rofe at one.com"
rlm_realm: No such realm "one.com"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
modcall[authenticate]: module "unix" returns notfound for request 1
modcall: leaving group authenticate (returns notfound) for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 58 to 192.168.212.4 port 2841
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 58 with timestamp 48fd9c82
Nothing to do. Sleeping until we see a request.
#####
This says that my realm ONE.COM is not found:
rlm_realm: Looking up realm "one.com" for User-Name = "rofe at one.com"
rlm_realm: No such realm "one.com"
If I try with my local linux user rofe/password I get this output:
# Output from HP-switch #
Please Enter Login Name: rofe
Please Enter Password:
Access denied: no user's privilege level supplied by the RADIUS server
# Output from FreeRadius -X when login attempted #
rad_recv: Access-Request packet from host 192.168.212.4:2841, id=64,
length=94
User-Name = "rofe"
User-Password = "<password removed>"
NAS-IP-Address = 192.168.212.4
NAS-Identifier = "ProCurve2650"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Message-Authenticator = 0x05c11e9f7c12361b373504a377975f99
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 7
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 7
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 7
modcall: leaving group authorize (returns ok) for request 7
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
modcall[authenticate]: module "unix" returns ok for request 7
modcall: leaving group authenticate (returns ok) for request 7
Sending Access-Accept of id 64 to 192.168.212.4 port 2841
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 7 ID 64 with timestamp 48fd9d9c
Nothing to do. Sleeping until we see a request.
#####
Where FreeRadius seems to accept me?:
Sending Access-Accept of id 64 to 192.168.212.4 port 2841
But it still can't find my realm:
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
# My Heimdal Kerberos configurations files #
# /etc/krb5.conf #
[realms]
ONE.COM = {
kdc = rofe
admin_server = rofe
}
###############
HP-switch configuration
###############
radius-server host 192.168.212.93
radius-server key 123456
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication login privilege-mode
###############
Debugging
###############
I have tried to debug it myself using these guidelines:
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#Debugging_it_yourself
Step 7-8 gives me:
root at rofe:/etc/freeradius# radtest bob bob localhost 0 testing123
Sending Access-Request of id 134 to 127.0.0.1 port 1812
User-Name = "bob"
User-Password = "bob"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=134,
length=32
Reply-Message = "Hello, bob"
If I try with my Kerberos user I get this:
root at rofe:/etc/freeradius# radtest rofe 123456 localhost 0 testing123
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "rofe"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=152,
length=20
And if I try with my local linux user I get this:
root at rofe:/etc/freeradius# radtest rofe <password removed> localhost 0
testing123
Sending Access-Request of id 162 to 127.0.0.1 port 1812
User-Name = "rofe"
User-Password = "<password removed>"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=162,
length=20
####################
It looks to me that FreeRadius is not using Kerberos to authenticate
users? It cant seem to find the realm, I have even tried to make another
user, with a username different of my local linux user, but I get the
same error, that the realm ONE.COM is not found.
As said in the beginning, I have searched the internet and read a lot,
but can't find anything useful.
Any help to get this to work is appriciated!
- Ronni
More information about the Freeradius-Users
mailing list