warnings on users file
Chaigneau, Nicolas
nicolas.chaigneau at capgemini.com
Tue Aug 5 09:02:55 CEST 2014
From what I remember :
The “correct” format is to put all the check items on the first line of a given entry in the users file.
But, in FreeRADIUS 2.x, if you do, EAP-SIM (and probably all EAP types, though I did not test) will not work.
So you have to put them in the “reply” list (ie on multiple lines in the users file).
And ignore the warnings…
In FreeRADIUS 3.x, this has been fixed, so you can comply with the warning, and put all check items on first line of entry.
De : freeradius-users-bounces+nicolas.chaigneau=capgemini.com at lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.chaigneau=capgemini.com at lists.freeradius.org] De la part de rafa alfurqan
Envoyé : mardi 5 août 2014 04:02
À : freeradius-users at lists.freeradius.org
Objet : Fwd: warnings on users file
Hi all,
again i've tried users configuration for a few times.
i always failed when i'm trying these formats
<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>
1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org> EAP-Type := SIM
EAP-Sim-Rand1 = 0xBDA21CB60EF945da9A8BA56667B49027,
EAP-Sim-SRES1 = 0x04d995bc,
EAP-Sim-KC1 = 0xBBe0a7c68Aea1c00,
EAP-Sim-Rand2 = 0x621F1DAC915B4dbf8A0842E88B97BBBE,
EAP-Sim-SRES2 = 0xD9b5f235,
EAP-Sim-KC2 = 0x33d1ae11914c4800,
EAP-Sim-Rand3 = 0x6AD4284810DD42ca8A60A410F7746820,
EAP-Sim-SRES3 = 0xB29eb39b,
EAP-Sim-KC3 = 0x1E62ae2aA0a66400
but if i tried based on log, [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-Rand1" found in reply item list for user "1510101425520064 at wlan.mnc101.mcc510.3gppnetwork.org<mailto:1510101425520064 at wlan.mnc101.mcc510.3gppnetwork.org>". This attribute MUST go on the first line with the other check items
so i do in one line,
1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org> EAP-Sim-Rand1 = 0xBDA21CB60EF945da9A8BA56667B49027, EAP-Sim-SRES1 = 0x04d995bc, EAP-Sim-KC1 = 0xBBe0a7c68Aea1c00, EAP-Sim-Rand2 = 0x621F1DAC915B4dbf8A0842E88B97BBBE, EAP-Sim-SRES2 = 0xD9b5f235, EAP-Sim-KC2 = 0x33d1ae11914c4800, EAP-Sim-Rand3 = 0x6AD4284810DD42ca8A60A410F7746820, EAP-Sim-SRES3 = 0xB29eb39b, EAP-Sim-KC3 = 0x1E62ae2aA0a66400
i do the same when i follow this instruction
http://lists.freeradius.org/pipermail/freeradius-users/2014-March/071123.html
and the result is the warning is gone!
so, it's okay to use that format? honestly i really new with freeradius, i'll appreciate for any helps.
it's my log realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.1.0/24<http://192.168.1.0/24> {
require_message_authenticator = no
secret = "eap-sim"
shortname = "eap-sim"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file �?x�???
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_sim_files
Module: Instantiating module "sim_files" from file /etc/freeradius/modules/sim_files
sim_files {
simtriplets = "/etc/freeradius/simtriplets.dat"
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 44186
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=151, length=259
User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = "004f62248f98"
Calling-Station-Id = "70aab2eb15af"
NAS-Identifier = "Realtek Access Point. 8186"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02000038013135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xf77502a9d1ebb44e40a997fb52f4ad2a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" for User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>"
++[suffix] = noop
rlm_sim_files: authorized user/imsi 1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] = ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 127
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 151 to 192.168.1.1 port 2049
EAP-Message = 0x017f0014120a00000f0200020001000011010100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7659c0b27626d231a8579b0cb8f3e694
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=152, length=303
User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = "004f62248f98"
Calling-Station-Id = "70aab2eb15af"
NAS-Identifier = "Realtek Access Point. 8186"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x027f0058120a000007050000b7a1d8dbcbb4ebc3626016889cbfc212100100010e0e00333135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
State = 0x7659c0b27626d231a8579b0cb8f3e694
Message-Authenticator = 0x946a59632d3b96d1ba18ad68545b1eb6
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" for User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>"
++[suffix] = noop
rlm_sim_files: authorized user/imsi 1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] = ok
[eap] EAP packet type response id 127 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
+++> EAP-sim decoded packet:
User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = "004f62248f98"
Calling-Station-Id = "70aab2eb15af"
NAS-Identifier = "Realtek Access Point. 8186"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x027f0058120a000007050000b7a1d8dbcbb4ebc3626016889cbfc212100100010e0e00333135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700
State = 0x7659c0b27626d231a8579b0cb8f3e694
Message-Authenticator = 0x946a59632d3b96d1ba18ad68545b1eb6
EAP-Type = SIM
EAP-Sim-Subtype = Start
EAP-Sim-NONCE_MT = 0x0000b7a1d8dbcbb4ebc3626016889cbfc212
EAP-Sim-SELECTED_VERSION = 0x0001
EAP-Sim-IDENTITY = 0x3135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267
[eap] Underlying EAP-Type set EAP ID to 128
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 152 to 192.168.1.1 port 2049
EAP-Message = 0x01800050120b0000010d0000bda21cb60ef945da9a8ba56667b49027621f1dac915b4dbf8a0842e88b97bbbe6ad4284810dd42ca8a60a410f77468200b05000066269155d778ece4a44df2898acaa745
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7659c0b277d9d231a8579b0cb8f3e694
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=153, length=243
User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = "004f62248f98"
Calling-Station-Id = "70aab2eb15af"
NAS-Identifier = "Realtek Access Point. 8186"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0280001c120b00000b0500004e314600d7dd8c432d922fe2e2f85e45
State = 0x7659c0b277d9d231a8579b0cb8f3e694
Message-Authenticator = 0xe28cce59df602509a3c3cfe9a99c5693
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" for User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
[suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>"
++[suffix] = noop
rlm_sim_files: authorized user/imsi 1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] = ok
[eap] EAP packet type response id 128 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/sim
[eap] processing type sim
MAC check succeed
[eap] Underlying EAP-Type set EAP ID to 129
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 153 to 192.168.1.1 port 2049
MS-MPPE-Recv-Key = 0x6e3afcc0cada4349d9e50c5b059f09a8561950974fc7a91ab4b085927b88ec4c
MS-MPPE-Send-Key = 0xa1642e8992cf8c5937455aef07338c3b112ebbfcde037305d185b5367de606b0
EAP-Message = 0x03810004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168 at wlan.mnc001.mcc510.3gppnetwork.org>"
Finished request 2.
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 0 ID 151 with timestamp +10
Cleaning up request 1 ID 152 with timestamp +11
Waking up in 1.0 seconds.
Cleaning up request 2 ID 153 with timestamp +12
Ready to process requests.
thank you
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140805/8deb5b8f/attachment-0001.html>
More information about the Freeradius-Users
mailing list