So I reverted to the default conf by copying the confs from the source package. I was forced to alter two lines. <br><span style="font-family: courier new,monospace;">$diff eap.conf /etc/freeradius/eap.conf</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">155c155</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">< private_key_file = ${certdir}/server.pem</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">---</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">> private_key_file = ${certdir}/server.key</span><br>
<span style="font-family: courier new,monospace;">$diff users /etc/freeradius/users</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">49a50,53</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">> ####################################</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">> user</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">> ####################################</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">> </span><br>Other then those changes all confs are at their 'factory defaults'. Yet still I receive the access-reject packets that started this thread. radiusd -X output is below. (note: still using default certs)<br>
<br><font face="courier new,monospace">freeradius -X<br>FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010 at 23:02:23<br>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br>PARTICULAR PURPOSE. <br>You may redistribute copies of FreeRADIUS under the terms of the <br>GNU General Public License v2. <br>Starting - reading configuration files ...<br>
including configuration file /etc/freeradius/radiusd.conf<br>including configuration file /etc/freeradius/proxy.conf<br>including configuration file /etc/freeradius/clients.conf<br>including files in directory /etc/freeradius/modules/<br>
including configuration file /etc/freeradius/modules/detail<br>including configuration file /etc/freeradius/modules/passwd<br>including configuration file /etc/freeradius/modules/cui<br>including configuration file /etc/freeradius/modules/attr_rewrite<br>
including configuration file /etc/freeradius/modules/pam<br>including configuration file /etc/freeradius/modules/expiration<br>including configuration file /etc/freeradius/modules/etc_group<br>including configuration file /etc/freeradius/modules/counter<br>
including configuration file /etc/freeradius/modules/checkval<br>including configuration file /etc/freeradius/modules/digest<br>including configuration file /etc/freeradius/modules/otp<br>including configuration file /etc/freeradius/modules/echo<br>
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login<br>including configuration file /etc/freeradius/modules/logintime<br>including configuration file /etc/freeradius/modules/ldap<br>including configuration file /etc/freeradius/modules/ippool<br>
including configuration file /etc/freeradius/modules/policy<br>including configuration file /etc/freeradius/modules/acct_unique<br>including configuration file /etc/freeradius/modules/sql_log<br>including configuration file /etc/freeradius/modules/sradutmp<br>
including configuration file /etc/freeradius/modules/realm<br>including configuration file /etc/freeradius/modules/preprocess<br>including configuration file /etc/freeradius/modules/expr<br>including configuration file /etc/freeradius/modules/radutmp<br>
including configuration file /etc/freeradius/modules/perl<br>including configuration file /etc/freeradius/modules/files<br>including configuration file /etc/freeradius/modules/exec<br>including configuration file /etc/freeradius/modules/smbpasswd<br>
including configuration file /etc/freeradius/modules/mschap<br>including configuration file /etc/freeradius/modules/smsotp<br>including configuration file /etc/freeradius/modules/<a href="http://detail.example.com" target="_blank">detail.example.com</a><br>
including configuration file /etc/freeradius/modules/attr_filter<br>including configuration file /etc/freeradius/modules/ntlm_auth<br>including configuration file /etc/freeradius/modules/krb5<br>including configuration file /etc/freeradius/modules/always<br>
including configuration file /etc/freeradius/modules/pap<br>including configuration file /etc/freeradius/modules/inner-eap<br>including configuration file /etc/freeradius/modules/mac2ip<br>including configuration file /etc/freeradius/modules/unix<br>
including configuration file /etc/freeradius/modules/detail.log<br>including configuration file /etc/freeradius/modules/linelog<br>including configuration file /etc/freeradius/modules/mac2vlan<br>including configuration file /etc/freeradius/modules/chap<br>
including configuration file /etc/freeradius/modules/wimax<br>including configuration file /etc/freeradius/eap.conf<br>including configuration file /etc/freeradius/policy.conf<br>including files in directory /etc/freeradius/sites-enabled/<br>
including configuration file /etc/freeradius/sites-enabled/default<br>including configuration file /etc/freeradius/sites-enabled/inner-tunnel<br>main {<br> user = "freerad"<br> group = "freerad"<br>
allow_core_dumps = no<br>}<br>including dictionary file /etc/freeradius/dictionary<br>main {<br> prefix = "/usr"<br> localstatedir = "/var"<br> logdir = "/var/log/freeradius"<br>
libdir = "/usr/lib/freeradius"<br> radacctdir = "/var/log/freeradius/radacct"<br> hostname_lookups = no<br> max_request_time = 30<br> cleanup_delay = 5<br> max_requests = 1024<br> pidfile = "/var/run/freeradius/freeradius.pid"<br>
checkrad = "/usr/sbin/checkrad"<br> debug_level = 0<br> proxy_requests = yes<br> log {<br> stripped_names = no<br> auth = no<br> auth_badpass = no<br> auth_goodpass = no<br> }<br> security {<br>
max_attributes = 200<br> reject_delay = 1<br> status_server = yes<br> }<br>}<br>radiusd: #### Loading Realms and Home Servers ####<br> proxy server {<br> retry_delay = 5<br> retry_count = 3<br> default_fallback = no<br>
dead_time = 120<br> wake_all_if_all_dead = no<br> }<br> home_server localhost {<br> ipaddr = 127.0.0.1<br> port = 1812<br> type = "auth"<br> secret = "testing123"<br> response_window = 20<br>
max_outstanding = 65536<br> require_message_authenticator = no<br> zombie_period = 40<br> status_check = "status-server"<br> ping_interval = 30<br> check_interval = 30<br> num_answers_to_alive = 3<br>
num_pings_to_alive = 3<br> revive_interval = 120<br> status_check_timeout = 4<br> irt = 2<br> mrt = 16<br> mrc = 5<br> mrd = 30<br> }<br> home_server_pool my_auth_failover {<br> type = fail-over<br>
home_server = localhost<br> }<br> realm <a href="http://example.com" target="_blank">example.com</a> {<br> auth_pool = my_auth_failover<br> }<br> realm LOCAL {<br> }<br>radiusd: #### Loading Clients ####<br> client 192.168.1.1 {<br>
ipaddr = 192.168.1.1<br> require_message_authenticator = no<br> secret = "secret123"<br> shortname = "AP"<br> }<br> client localhost {<br> ipaddr = 127.0.0.1<br> require_message_authenticator = no<br>
secret = "testing123"<br> nastype = "other"<br> }<br>radiusd: #### Instantiating modules ####<br> instantiate {<br> Module: Linked to module rlm_exec<br> Module: Instantiating exec<br> exec {<br>
wait = no<br> input_pairs = "request"<br> shell_escape = yes<br> }<br> Module: Linked to module rlm_expr<br> Module: Instantiating expr<br> Module: Linked to module rlm_expiration<br> Module: Instantiating expiration<br>
expiration {<br> reply-message = "Password Has Expired "<br> }<br> Module: Linked to module rlm_logintime<br> Module: Instantiating logintime<br> logintime {<br> reply-message = "You are calling outside your allowed timespan "<br>
minimum-timeout = 60<br> }<br> }<br>radiusd: #### Loading Virtual Servers ####<br>server inner-tunnel {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Linked to module rlm_pap<br>
Module: Instantiating pap<br> pap {<br> encryption_scheme = "auto"<br> auto_header = no<br> }<br> Module: Linked to module rlm_chap<br> Module: Instantiating chap<br> Module: Linked to module rlm_mschap<br>
Module: Instantiating mschap<br> mschap {<br> use_mppe = yes<br> require_encryption = no<br> require_strong = no<br> with_ntdomain_hack = no<br> }<br> Module: Linked to module rlm_unix<br> Module: Instantiating unix<br>
unix {<br> radwtmp = "/var/log/freeradius/radwtmp"<br> }<br> Module: Linked to module rlm_eap<br> Module: Instantiating eap<br> eap {<br> default_eap_type = "md5"<br> timer_expire = 60<br>
ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> max_sessions = 4096<br> }<br> Module: Linked to sub-module rlm_eap_md5<br> Module: Instantiating eap-md5<br> Module: Linked to sub-module rlm_eap_leap<br>
Module: Instantiating eap-leap<br> Module: Linked to sub-module rlm_eap_gtc<br> Module: Instantiating eap-gtc<br> gtc {<br> challenge = "Password: "<br> auth_type = "PAP"<br> }<br> Module: Linked to sub-module rlm_eap_tls<br>
Module: Instantiating eap-tls<br> tls {<br> rsa_key_exchange = no<br> dh_key_exchange = yes<br> rsa_key_length = 512<br> dh_key_length = 512<br> verify_depth = 0<br> pem_file_type = yes<br> private_key_file = "/etc/freeradius/certs/server.key"<br>
certificate_file = "/etc/freeradius/certs/server.pem"<br> CA_file = "/etc/freeradius/certs/ca.pem"<br> private_key_password = "whatever"<br> dh_file = "/etc/freeradius/certs/dh"<br>
random_file = "/etc/freeradius/certs/random"<br> fragment_size = 1024<br> include_length = yes<br> check_crl = no<br> cipher_list = "DEFAULT"<br> make_cert_command = "/etc/freeradius/certs/bootstrap"<br>
cache {<br> enable = no<br> lifetime = 24<br> max_entries = 255<br> }<br> }<br> Module: Linked to sub-module rlm_eap_ttls<br> Module: Instantiating eap-ttls<br> ttls {<br> default_eap_type = "md5"<br>
copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> virtual_server = "inner-tunnel"<br> include_length = yes<br> }<br> Module: Linked to sub-module rlm_eap_peap<br> Module: Instantiating eap-peap<br>
peap {<br> default_eap_type = "mschapv2"<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> proxy_tunneled_request_as_eap = yes<br> virtual_server = "inner-tunnel"<br> }<br>
Module: Linked to sub-module rlm_eap_mschapv2<br> Module: Instantiating eap-mschapv2<br> mschapv2 {<br> with_ntdomain_hack = no<br> }<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_realm<br>
Module: Instantiating suffix<br> realm suffix {<br> format = "suffix"<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br> Module: Linked to module rlm_files<br> Module: Instantiating files<br>
files {<br> usersfile = "/etc/freeradius/users"<br> acctusersfile = "/etc/freeradius/acct_users"<br> preproxy_usersfile = "/etc/freeradius/preproxy_users"<br> compat = "no"<br>
}<br> Module: Checking session {...} for more modules to load<br> Module: Linked to module rlm_radutmp<br> Module: Instantiating radutmp<br> radutmp {<br> filename = "/var/log/freeradius/radutmp"<br> username = "%{User-Name}"<br>
case_sensitive = yes<br> check_with_nas = yes<br> perm = 384<br> callerid = yes<br> }<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br>
Module: Linked to module rlm_attr_filter<br> Module: Instantiating attr_filter.access_reject<br> attr_filter attr_filter.access_reject {<br> attrsfile = "/etc/freeradius/attrs.access_reject"<br> key = "%{User-Name}"<br>
}<br> } # modules<br>} # server<br>server {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_preprocess<br>
Module: Instantiating preprocess<br> preprocess {<br> huntgroups = "/etc/freeradius/huntgroups"<br> hints = "/etc/freeradius/hints"<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br>
with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no<br> with_alvarion_vsa_hack = no<br> }<br> Module: Checking preacct {...} for more modules to load<br> Module: Linked to module rlm_acct_unique<br>
Module: Instantiating acct_unique<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> Module: Checking accounting {...} for more modules to load<br>
Module: Linked to module rlm_detail<br> Module: Instantiating detail<br> detail {<br> detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> header = "%t"<br> detailperm = 384<br>
dirperm = 493<br> locking = no<br> log_packet_header = no<br> }<br> Module: Instantiating attr_filter.accounting_response<br> attr_filter attr_filter.accounting_response {<br> attrsfile = "/etc/freeradius/attrs.accounting_response"<br>
key = "%{User-Name}"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br>
} # modules<br>} # server<br>radiusd: #### Opening IP addresses and Ports ####<br>listen {<br> type = "auth"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "acct"<br> ipaddr = *<br>
port = 0<br>}<br>Listening on authentication address * port 1812<br>Listening on accounting address * port 1813<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 192.168.1.1 port 3078, id=0, length=145<br>
User-Name = "<a href="mailto:user@example.com" target="_blank">user@example.com</a>"<br> NAS-IP-Address = 192.168.1.1<br> Called-Station-Id = "0016b6e2cc20"<br> Calling-Station-Id = "00904b1f9671"<br>
NAS-Identifier = "0016b6e2cc20"<br> NAS-Port = 56<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = 0x020000150175736572406578616d706c652e636f6d<br> Message-Authenticator = 0x8daf2ca02316bba446bc8cdbb431725b<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com" target="_blank">example.com</a>" for User-Name = "<a href="mailto:user@example.com" target="_blank">user@example.com</a>"<br>
[suffix] Found realm "<a href="http://example.com" target="_blank">example.com</a>"<br>[suffix] Adding Stripped-User-Name = "user"<br>[suffix] Adding Realm = "<a href="http://example.com" target="_blank">example.com</a>"<br>
[suffix] Proxying request from user user to realm <a href="http://example.com" target="_blank">example.com</a><br>[suffix] Preparing to proxy authentication request to realm "<a href="http://example.com" target="_blank">example.com</a>" <br>
++[suffix] returns updated<br>
[eap] Request is supposed to be proxied to Realm <a href="http://example.com" target="_blank">example.com</a>. Not doing EAP.<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry user at line 51<br>
++[files] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br> WARNING: Empty section. Using default return values.<br>Sending Access-Request of id 73 to 127.0.0.1 port 1812<br> User-Name = "user"<br>
NAS-IP-Address = 192.168.1.1<br> Called-Station-Id = "0016b6e2cc20"<br> Calling-Station-Id = "00904b1f9671"<br> NAS-Identifier = "0016b6e2cc20"<br> NAS-Port = 56<br> Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br> EAP-Message = 0x020000150175736572406578616d706c652e636f6d<br> Message-Authenticator = 0x00000000000000000000000000000000<br> Proxy-State = 0x30<br>Proxying request 0 to home server 127.0.0.1 port 1812<br>
Sending Access-Request of id 73 to 127.0.0.1 port 1812<br> User-Name = "user"<br> NAS-IP-Address = 192.168.1.1<br> Called-Station-Id = "0016b6e2cc20"<br> Calling-Station-Id = "00904b1f9671"<br>
NAS-Identifier = "0016b6e2cc20"<br> NAS-Port = 56<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = 0x020000150175736572406578616d706c652e636f6d<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
Proxy-State = 0x30<br>Going to the next request<br>Waking up in 0.9 seconds.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=73, length=136<br> User-Name = "user"<br> NAS-IP-Address = 192.168.1.1<br>
Called-Station-Id = "0016b6e2cc20"<br> Calling-Station-Id = "00904b1f9671"<br> NAS-Identifier = "0016b6e2cc20"<br> NAS-Port = 56<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br>
EAP-Message = 0x020000150175736572406578616d706c652e636f6d<br> Message-Authenticator = 0x3819431fccc1316733e3aa053276a579<br> Proxy-State = 0x30<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "user", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 0 length 21<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>[files] users: Matched entry user at line 51<br>++[files] returns ok<br>++[expiration] returns noop<br>
++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Identity does not match User-Name, setting from EAP Identity.<br>[eap] Failed in handler<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> user<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 1 for 1 seconds<br>Going to the next request<br>
Waking up in 0.9 seconds.<br>Sending delayed reject for request 1<br>Sending Access-Reject of id 73 to 127.0.0.1 port 1814<br> Proxy-State = 0x30<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=73, length=23<br>
Proxy-State = 0x30<br>+- entering group post-proxy {...}<br>[eap] No pre-existing handler found<br>++[eap] returns noop<br>Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> <a href="mailto:user@example.com" target="_blank">user@example.com</a><br>
attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Sending Access-Reject of id 0 to 192.168.1.1 port 3078<br>Finished request 0.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>
Cleaning up request 1 ID 73 with timestamp +4<br>Cleaning up request 0 ID 0 with timestamp +4<br>Ready to process requests.<br></font><br style="font-family: courier new,monospace;">So much for working 'out-of-the-box'. Certianly this is one of the primary things that freeradius was built to do and I'm sure there are plenty of people who have gotten this to work before. I'm sure the an<br>
<br>~Huckle Berry<br><br><br><div class="gmail_quote">On Mon, Jan 18, 2010 at 1:53 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Huckle Berry wrote:<br>
> This was beginning to occur to me. Initially I ignored proxy.conf<br>
> because i figured I would never need to proxy anything, but I now see FR<br>
> proxies to itself...<br>
<br>
</div> It treats the inner tunnel session as a (largely) independent RADIUS<br>
request. This makes server design && configuration easier. It also<br>
means that FreeRADIUS has capabilities that other RADIUS servers don't have.<br>
<div><br>
> OK, I just tested this and it resulted in me DoS myself as the request<br>
> bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened<br>
> both with my eap.conf and the default eap.conf. Something about there<br>
> being 200+ Proxy-State attributes.<br>
<br>
</div> So... don't do that. That proxy loop is *not* in the default<br>
configuration. It only happens when you try to force proxying for a<br>
realm to loop back to the server.<br>
<br>
Why would this *ever* be a good idea?<br>
<div><br>
> 2) in users file you include the details for the user 'user' eg<br>
><br>
> user Cleartext-Password := "password"<br>
><br>
><br>
> I'm using Certificate based authentication, with myself as the CA, so no<br>
> password should be needed correct? Or is the Password used to sign the<br>
> cert needed here?<br>
<br>
</div> No. You don't need a password.<br>
<font color="#888888"><br>
Alan DeKok.<br>
</font><div><div></div><div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>