Accounting-Request packet shared secret fail (Alan DeKok) (Kevin Virk)

Kevin Virk Kevin.Virk at faithlife.com
Wed Aug 8 21:51:45 CEST 2018


I have put the secret into the radius-server key on the cisco switch and it is indeed the same secret in clients.conf. Is there another place I should be putting it to make it work? What is odd is if I log in without a user that is not in the users conf I get a access-reject which I wouldn't expect if the secrets weren't aligned. However when logging in with a valid user I get the shared secret is incorrect and the packet gets dropped.



From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com at lists.freeradius.org> on behalf of freeradius-users-request at lists.freeradius.org  <freeradius-users-request at lists.freeradius.org>
Sent: Wednesday, August 8, 2018 8:38 AM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 11
  
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. Re: ldap module for user and mac authentication (Alan DeKok)
2. Re: ldap module for user and mac authentication (Dave Macias)
3. Re: ldap module for user and mac authentication (Michael Ströder)
4. Re:Re: Accounting-Request packet shared secret fail (Alan
DeKok) (Kevin Virk)


----------------------------------------------------------------------

Message: 1
Date: Wed, 8 Aug 2018 10:03:29 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID: <88B6B2EF-CE79-45C3-9BFE-C4E6DDE90764 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 4:04 PM, Dave Macias <davama at gmail.com> wrote:
> 
> Yes, I had thought of something to the effect of (suggestions welcomed) :
> ...
> But this does not account for the scenario of openldap being dead.

Unfortunately, the dynamic expansions don't deal well with this kind of problem.

We're fixing that in v4, but it's hard to do for v3.

> Unless there is a way to query the "live" ldap server which the ldap module
> found %{ldap:ldap://%{live.ldap.server}/...} , if that makes sense

No, there's no way to do that. The fail-over in this case is handled by libldap. So it's completely out of our control.

Alan DeKok.




------------------------------

Message: 2
Date: Wed, 8 Aug 2018 10:12:13 -0400
From: Dave Macias <davama at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID:
<CA+nFYV81mUH-ry5sgZERODxKo2nQ0rQkG7FFH3=AEdZPDxgAvg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Understood

Thank you for the kind assistance Alan!

Best Regards,
dave

On Wed, Aug 8, 2018 at 10:03 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 7, 2018, at 4:04 PM, Dave Macias <davama at gmail.com> wrote:
> >
> > Yes, I had thought of something to the effect of (suggestions welcomed) :
> > ...
> > But this does not account for the scenario of openldap being dead.
>
> Unfortunately, the dynamic expansions don't deal well with this kind of
> problem.
>
> We're fixing that in v4, but it's hard to do for v3.
>
> > Unless there is a way to query the "live" ldap server which the ldap
> module
> > found %{ldap:ldap://%{live.ldap.server}/...} , if that makes sense
>
> No, there's no way to do that. The fail-over in this case is handled by
> libldap. So it's completely out of our control.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html


------------------------------

Message: 3
Date: Wed, 8 Aug 2018 17:01:33 +0200
From: Michael Ströder <michael at stroeder.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID: <e554d80f-d1b6-8751-4e86-cc112f13fa50 at stroeder.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

On 8/8/18 4:03 PM, Alan DeKok wrote:
> On Aug 7, 2018, at 4:04 PM, Dave Macias <davama at gmail.com> wrote:
>> Unless there is a way to query the "live" ldap server which the ldap module
>> found %{ldap:ldap://%{live.ldap.server}/...} , if that makes sense
> 
> No, there's no way to do that. The fail-over in this case is handled
> by libldap. So it's completely out of our control.

Maybe I missed something in the thread. But I understand '"live" LDAP 
server' that you want to know which LDAP server behind connection 
pooling, load-balancer or similar was really reached.

For this particular case I always I add the service FQDN of a particular 
(OpenLDAP) instance to be readable via LDAP, e.g. in the rootDSE. So a 
LDAP client can find out to which particular instance it connected even 
though it does not control the fail-over.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180808/7a850fce/attachment-0001.bin>

------------------------------

Message: 4
Date: Wed, 8 Aug 2018 15:38:44 +0000
From: Kevin Virk <Kevin.Virk at faithlife.com>
To: "freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: Re:Re: Accounting-Request packet shared secret fail (Alan
DeKok)
Message-ID: <1533742724522.87959 at faithlife.com>
Content-Type: text/plain; charset=WINDOWS-1252

Thank you Alan DeKok. I will go recheck my configs!

________________________________
From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com at lists.freeradius.org> on behalf of freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
Sent: Wednesday, August 8, 2018 3:00 AM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 10

Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users<http://lists.freeradius.org/mailman/listinfo/freeradius-users>
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. Re: Dynamic vlan assignment (Deepak Sehrawat)
2. Re: Dynamic vlan assignment (Alan DeKok)
3. Re: ldap module for user and mac authentication (Alan DeKok)
4. Re: ldap module for user and mac authentication (Dave Macias)
5. Accounting-Request packet shared secret fail (Kevin Virk)
6. Re: Accounting-Request packet shared secret fail (Alan DeKok)


----------------------------------------------------------------------

Message: 1
Date: Tue, 7 Aug 2018 22:38:47 +0530
From: Deepak Sehrawat <d.sehrawat at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Dynamic vlan assignment
Message-ID: <A1C9AE51-ED3D-4394-9887-274F1A2F210B at gmail.com>
Content-Type: text/plain; charset=us-ascii


Can we configure it via MySQL as well?


> On 07-Aug-2018, at 5:19 PM, Elias Pereira <empbilly at gmail.com> wrote:
>
> You can configure it in the post-auth option of the sites-enable/default
> configuration file.
>
> E.g:
>
> ...
> ldap
> if (Ldap-Group == "CN=ADM,OU=GRUPOS,DC=mycompany,DC=intra") {
> update reply {
> &Tunnel-Type = VLAN
> &Tunnel-Medium-Type = IEEE-802
> &Tunnel-Private-Group-Id = "51"
> }
> }
> elsif (Ldap-Group == "CN=ALUNOS,OU=GRUPOS,DC=mycompany,DC=intra") {
> update reply {
> &Tunnel-Type = VLAN
> &Tunnel-Medium-Type = IEEE-802
> &Tunnel-Private-Group-Id = "40"
> elseif ...
> ...
>
> On Tue, Aug 7, 2018 at 8:05 AM aseem kaushal <aseemkaushal91 at gmail.com>
> wrote:
>
>> Need to configure freeradius for dynamic vlan assignment. What could be the
>> various methods for the above.
>> Thanks in advance.
>>
>>
>> Regards
>> -Aseem Kaushal
>> -
>> List info/subscribe/unsubscribe? See
>>  http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html>
>
>
>
> --
> Elias Pereira
> -
> List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html>



------------------------------

Message: 2
Date: Tue, 7 Aug 2018 14:16:32 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Dynamic vlan assignment
Message-ID: <EC8BA115-117B-408F-ADB3-C81489452CA3 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 1:08 PM, Deepak Sehrawat <d.sehrawat at gmail.com> wrote:
>
> Can we configure it via MySQL as well?

The documentation has lots of information on how the SQL module works.

Read it. Ask questions if you don't understand.

Alan DeKok.



------------------------------

Message: 3
Date: Tue, 7 Aug 2018 15:08:48 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID: <76519810-BEB1-40AC-A1E2-A3E6FA28B6E6 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 11:50 AM, Dave Macias <davama at gmail.com> wrote:
> On the SLAVE, I am able to use the ldap module to auth a mac address
> On the MASTER, i am also able to auth a mac but by doing something like the
> links below:
>  http://lists.freeradius.org/pipermail/freeradius-users/2015-April/076948.html<http://lists.freeradius.org/pipermail/freeradius-users/2015-April/076948.html>
>  http://lists.freeradius.org/pipermail/freeradius-users/2018-August/092319.html<http://lists.freeradius.org/pipermail/freeradius-users/2018-August/092319.html>
>
> Is there a way on the MASTER to use the ldap module to also auth macs?

You can do any kind of LDAP query in FreeRADIUS. Why not just do the same %{ldap:...} checks there?

Alan DeKok.




------------------------------

Message: 4
Date: Tue, 7 Aug 2018 16:04:10 -0400
From: Dave Macias <davama at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID:
<CA+nFYV-f2c+ZB4k7WxPf_tznrc3hdRb_WB+DCTAzqvT7Y6D_oA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Thank you for the reply Alan!


> You can do any kind of LDAP query in FreeRADIUS. Why not just do the
> same %{ldap:...} checks there?
>

Yes, I had thought of something to the effect of (suggestions welcomed) :

* if
(!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
*&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
* if
(!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
*n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{*
* reject*
* }*
* }*
* update {*
* control:Auth-Type := Accept*
* }*

But this does not account for the scenario of openldap being dead.
The 1st "if" statement will be always be FALSE and never attempt the next
"if" statement and therefore 'Accept'

We currently use do_not_respond in conjunction with the ldap module so that
radius never response if openldap it were down
http://lists.freeradius.org/pipermail/freeradius-users/2018-May/091477.html<http://lists.freeradius.org/pipermail/freeradius-users/2018-May/091477.html>

The nice feature of the module is that you can configure multiple ldap
servers. If one fails then it will automatically try the next and so forth.

*mods-enabled/ldap*
*ldap {*
*server = host1 # <- this one is dead*
*server = host2 # <- this one is alive so use this one in the query*
*...*
*}*

Unless there is a way to query the "live" ldap server which the ldap module
found %{ldap:ldap://%{live.ldap.server}/...} , if that makes sense



Thanks!


------------------------------

Message: 5
Date: Tue, 7 Aug 2018 22:04:17 +0000
From: Kevin Virk <Kevin.Virk at faithlife.com>
To: "freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: Accounting-Request packet shared secret fail
Message-ID: <1533679457716.32160 at faithlife.com>
Content-Type: text/plain; charset=WINDOWS-1252

I am having an issue with configuring my cisco switch to authenticate with freeradius. My secret is the same on both sides but I keep getting error that the shared secret is not correct. I did a tcpdump of the traffic and then opened in wireshark to see. The  password is coming through encrypted as I would suspect. Could this encrypted password be the reason that I am not able to authenticate. Side note: Using wpa supplicant and eapol_test I was able to get a successful test. Only non success is this cisco switch.

ready to process requests.
rad_recv: Accounting-Request packet from host 172.17.17.227 port 49181, id=0, length=97
Received Accounting-Request packet from client 172.17.17.227 with invalid Request Authenticator! (Shared secret is incorrect.) Dropping packet without response






------------------------------

Message: 6
Date: Tue, 7 Aug 2018 18:24:30 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Accounting-Request packet shared secret fail
Message-ID: <D7FE269D-82BB-4365-A2A5-170524AF30E2 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 6:04 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
>
> I am having an issue with configuring my cisco switch to authenticate with freeradius. My secret is the same on both sides but I keep getting error that the shared secret is not correct.

Then the shared secret isn't correct.

> I did a tcpdump of the traffic and then opened in wireshark to see. The password is coming through encrypted as I would suspect. Could this encrypted password be the reason that I am not able to authenticate.

The password is encrypted with the shared secret. If the shared secret is wrong, then FreeRADIUS can't decrypt the password.

> Side note: Using wpa supplicant and eapol_test I was able to get a successful test. Only non success is this cisco switch.

Likely because they're using different IP addresses.

Are you editing the "client" configuration for the Cisco switch?

Have you tried setting the shared secret to something like "hello" ?

TBH, your choices here are:

a) the Cisco firmware works for everyone else, but not for you

b) FreeRADIUS works for everyone else, but not for you

c) you're entering the wrong shared secret, or maybe the correct shared secret, but in the wrong place.

Alan DeKok.




------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html>

------------------------------

End of Freeradius-Users Digest, Vol 160, Issue 10
*************************************************


------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html

------------------------------

End of Freeradius-Users Digest, Vol 160, Issue 11
*************************************************
   




More information about the Freeradius-Users mailing list