Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
October 2008
- 173 participants
- 253 discussions
Hi all,
I am new to this service , I would like to request you that anyone has every tried the callcard system with freeradius. Is there any how to on this type.
Thanx.
Regards,
Santosh
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
1
0
well! it worked!
Now my problem is that since the notebook I get an error: "Server mistaken
identity - failed authentication"
The truth is that I followed the steps recommended me to create the
certificates, the amount to the notebooks, but the error continues.
that is, I know it is wrong license, but why?, what could be the problem?.
This is the HOWTO that I follow.
thank you very much for your time people, really.
this is my log:
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=1,
length=136
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0xa1d37d14d3ca314db3216fe7ad3213e9
EAP-Message = 0x020100090163657274
NAS-Port-Type = Wireless-802.11
NAS-Port = 257
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.0.31.40 port 1645
EAP-Message = 0x010200160410c2f88223fdf1eaa4f3067c04238d3721
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x828568e182876c44ecbe1a83334ff52d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=2,
length=151
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0xc2fb1c2d823ddbcd52324d74a0b5fed2
EAP-Message = 0x02020006030d
NAS-Port-Type = Wireless-802.11
NAS-Port = 257
State = 0x828568e182876c44ecbe1a83334ff52d
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.0.31.40 port 1645
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x828568e183866544ecbe1a83334ff52d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=3,
length=255
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x739c2fb445978b8fe22541c3b32fe49f
EAP-Message =
0x0203006e0d8000000064160301005f0100005b030148fddd7b02ee2de9cfa41a003ff5314b24e0eda43acd15432391683003cfd6e500003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 257
State = 0x828568e183866544ecbe1a83334ff52d
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 110
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 100
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0839], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.0.31.40 port 1645
EAP-Message =
0x010404000dc000000b44160301004a02000046030148fddd7dc37e19076e351405e62f436a1922fb73cf30455f894e5c4190795ae0204a154ccf97bbead151eeaf459f681421a262c4556effa79a2002e054df616e9900390016030108390b000835000832000396308203923082027aa003020102020101300d06092a864886f70d010104050030818c310b3009060355040613024152311530130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c060355
EAP-Message =
0x04031315436572746966696361746520417574686f72697479301e170d3038313031363230313733315a170d3039313031363230313733315a3073310b3009060355040613024152311530130603550408130c4275656e6f73204169726573310e300c060355040a130549504c414e311b3019060355040313125365727665722043657274696669636174653120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e617230820122300d06092a864886f70d01010105000382010f003082010a0282010100e5ed708ad7629eb1a4406955fa12ca763e4d1a5264d13c13a59d82175ef6c50a8a7c145bfbba1b2ead6e65164759
EAP-Message =
0x742a02898ebd5795851b82f8488ea091ea5066dc89e6af059571af16716d3fb1a6e272e7f651b4b594d5bbc2a8d245790865da844926416a6356691dac17f9cca14b98c59fb70a690d85527b855796def90e81472a8eac1d25f59bb7daa3911f36aa8b98a8c33eadce40371ecae6f94bde99b0116973fe2376511d7e1377bfde2ba0056ee0824130884744e341851d8c10a2ed37ad726554c87b3bb138b6f77e0d7abe640d513bc062deb0c8a2e72c60afe7e2f00a0601b201f3b36c89c5eefb9d7fdd00a43109b8a3efd02a0c4b45f7d4b10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104
EAP-Message =
0x050003820101000971fc8236218044d0674241bd4bf450c5c11a72d13d8e3aeb7b37d89f2eca83f6ac0c2a08a541ad6995b86f21d158777cb8b55eebd5f74b2809b97aa64404f67fb3d00a10008ff3d8a92c37311536bc5d6d0fd62f4ad6bcddfcc9b96fe0db9a6087be315c360edbb6333d45817ef783f2fa31071b46613c601c29a1f6187e5dbe0f8abb01ea6fdf5eece6af36e7f25d0ab0c9ae05ca422a0c367fe97df9d7eefeec739c36e88c3631af892ab0bb76e248c3aaf7bfe240e60b8eb86d95b78cc81e959debbe37be439d2c68b010dc81e06705c4142db6f88820a9284a0f12bb128802591036617a64e21b1521960de4ad6339381ae8be
EAP-Message = 0xaf5d9a281ecc5339e0450004
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x828568e180816544ecbe1a83334ff52d
Finished request 2.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=4,
length=151
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x252416bab9b6b1d85b8af4b674df9148
EAP-Message = 0x020400060d00
NAS-Port-Type = Wireless-802.11
NAS-Port = 257
State = 0x828568e180816544ecbe1a83334ff52d
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.0.31.40 port 1645
EAP-Message =
0x010504000dc000000b4496308204923082037aa003020102020900aa09a4eb699e73a6300d06092a864886f70d010105050030818c310b3009060355040613024152311530130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f72697479301e170d3038313031363230313733315a170d3038313131353230313733315a30818c310b3009060355040613024152311530130603550408130c42
EAP-Message =
0x75656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100af6a3a37df450bb00c1f30ecc060fc530881b40643e224fd853eb5e338789cb912bcecb071826a7ec4394c9c139948305fee4b3d0ac995414df5dcbda4d508af7305a7648462a0e9a11d2bdd9edb1ff348e9816035b6456edb77fa1eb0d32a778da12d839052a5fb18
EAP-Message =
0x133bf2bd62e9ad8f4923585ae3ae5f7d80b85ccb2473bd9230a9e55aa0d6938b5a41ed67fb734e20c48a4f2130b71ba5ae66c13faf5dabe29e005411fd43fef788bbc983d432a0264a995278edae38db7b32cfff8c14d9724cbc063e572bebafa57c2c7c2f972711a073f196dac82ccf3b4098d44dbcc72a7d1cffc0faa1be151dd771ded7e0815f66d10028859213044728146e9b9fb10203010001a381f43081f1301d0603551d0e041604142d644d4ab03c8babf1cec71991d94174579cdd423081c10603551d230481b93081b680142d644d4ab03c8babf1cec71991d94174579cdd42a18192a4818f30818c310b30090603550406130241523115
EAP-Message =
0x30130603550408130c4275656e6f73204169726573311430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f72697479820900aa09a4eb699e73a6300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010007dac509033ec6d101253a619dd68b1e9007f99b1516e4c743e7f144bc21d4231d1086f082432bec4309cded4a8190e99a6cb2ee55b2d83f1b3ef4dbf1ceb4cd1703825dc6fa7a6b3924b443911a9c5b7a035e
EAP-Message = 0x7c10ed5223d868feea672798
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x828568e181806544ecbe1a83334ff52d
Finished request 3.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=5,
length=151
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0xff9eb6ba3fc361ee417c8d591840b2ad
EAP-Message = 0x020500060d00
NAS-Port-Type = Wireless-802.11
NAS-Port = 257
State = 0x828568e181806544ecbe1a83334ff52d
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.0.31.40 port 1645
EAP-Message =
0x010603620d8000000b44154f0cb0744882ef4706ec8866c6430b2df368cefb2d469c6ba9206fd7841e146d9445d9d0da14ee2ea682cf574b6a118e729df9a84852718cb6802edd2169452bbc3509d6c7a68cc2b293aecf43a7a56a746da3b57865e8945c8531c39bd1f9ce0b576a0533c793e2787d98bf322b1d7b1f03e0b6cf82a6c80c4ca96b8bdd4a6a0ef2724a3034cc3c0f3e55bd2927a673f86ad6a8d55bd1d900ef1e73550440d3160301020d0c0002090080ad2df571269b93a787f80235487c28f730b4907620fed69ef713bb4f43d3579e11b02fbf45ab4e74cf79b5d447af0fe6805157482f2b5f8185c4cc59061e6882ab9e4dd6def073
EAP-Message =
0x6c0583158ab64a30e9a2de020c5e4f7a41b4c58149a9b110a6d3b521f30e96e82b2b43f2d0d1a699b6484f8c814f72d4fe8fc11d7943f2c6a300010200808d274ee97ca8a1539322ca1cc91663218998f3f246237c87d426f37ed5ca34e4219297a674b10bd0b2bad77050600c858d955abb3f5436b99f2182fb607330679a0fe893820631e51a809fe023f6e08c821c6eca3852849a5d73b5cf1dcd0b71ed6fbd57b0c492c83c313f2104812f2c5fa6ec3627ed7d2c87c0c8275fd2854f010007eb93c25d6e901a560299fc10a1b3ddb4f98c351a95f6442a02bb7ac314af82cc9d2e475c5e5fe0673fdddfe7962dca24183d4bc1e64738f0fb7ac4a5
EAP-Message =
0x1f2cf4ac73dfea488a0f4be5678893c1b0be7343f290ec5f5a9ccf4f93893aecb5ad34e5de809849e6d0e61a1ad2944c8d0905eafaf74c046f5e338ecd30b1f3bfd001dc8aff4772cb307e0d87f6a6753767c0d207525cba695cce41a7031596db606fe2c644a8607c31404d7e09336b02e640bc6fd3823871cc1294587936547522651f2d52fc1c4bbdbe5e637bda47b37ccd47e7c29f3f93533b3e7161343924ea63417efc93e16618ab84d87dc74a199dac734719e5db4faecf80ca10a56f0e581016030100a00d00009804030401020091008f30818c310b3009060355040613024152311530130603550408130c4275656e6f7320416972657331
EAP-Message =
0x1430120603550407130b5265636f6e717569737461310e300c060355040a130549504c414e3120301e06092a864886f70d0109011611636572744069706c616e2e636f6d2e6172311e301c06035504031315436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x828568e186836544ecbe1a83334ff52d
Finished request 4.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=6,
length=162
User-Name = "cert"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x7cdb2e5ab2d1ba0debf2dbe363ba0b9e
EAP-Message = 0x020600110d80000000071503010002022a
NAS-Port-Type = Wireless-802.11
NAS-Port = 257
State = 0x828568e186836544ecbe1a83334ff52d
NAS-IP-Address = 10.0.31.40
NAS-Identifier = "ap"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "cert", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 6 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry cert at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 7
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
bad certificate
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> cert
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 6 to 10.0.31.40 port 1645
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5.
2
1
ok, but according to my file "eap.conf" I have enabled "TLS" and "MD5" is
disabled, give it a look:
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
#timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
#ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
#md5 {
#}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = testing123
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same
directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path = /path/to/directory/with/ca_certs/and/crls/
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer =
"/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
#
# make_cert_command = "${certdir}/bootstrap"
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
#ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
# default_eap_type = md5
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
# copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
# use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
# virtual_server = "inner-tunnel"
#}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of
MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
2
1
Hi again,
I'm trying to get FreeRadius to work with Heimdal Kerberos, so I can use
it to authenticate my login on my HP-switch.
I have searched and read a lot on the internet but I can't find anything
useful, and now I am really lost.
########################################
My environment
########################################
Ubuntu Linux 8.04
FreeRadius 1.1.7-1build4
Heimdal-kdc 1.0.1-5ubuntu4
########################################
My configuration
########################################
###############
Server
###############
# Installed software and followed the configuration guide
apt-get install freeradius heimdal-kdc heimdal-kcm
# Configured Heimdal Kerberos
# Creating the database
kadmin -l
kadmin> init ONE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
# Add user to database; here rofe
kadmin> add rofe
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
rofe(a)ONE.COM's Password:
Verifying - rofe(a)ONE.COM's Password:
kadmin> exit
# Opened ports in firewall
kerberos 88 UDP Default configuration
kerberos 88 TCP Alternative configurations for usage with firewalls see
below
# Added DNS in /etc/hosts
127.0.0.1 rofe.one.com
# Test configuration
kinit rofe
klist rofe
kdestroy
# It works, I get a ticket.
# Making service principal 'radius' and keytab file used by the switch
kadmin -l
kadmin> add radius
# ext_keytab --keytab=<keytab-file> <principal>
kadmin> ext_keytab --keytab=/etc/krb5.keytab radius/rofe.one.com
# Edit /etc/freeradius/radiusd.conf to use Heimdal Kerberos
# Add the following lines in the authenticate section
Auth-Type Kerberos {
krb5
}
# Edit /etc/freeradius/radiusd.conf
# Add the following lines in modules section
krb5 {
# keytab containing the key used by rlm_krb5
keytab = /etc/krb5.keytab
# principal that is used by rlm_krb5
service_principal = radius/rofe.one.com
}
# Edit the /etc/freeradius/clients.conf
# Add the switch as a client
client 192.168.212.4 {
secret = 123456 # Secret also configured on the switch
- radius-server key <Unique Key>
shortname = ProCurve2650 # Hostname of the swich
nastype = other # Type of NAS (Radius Client)
}
#####
Now if I start FreeRadius with /usr/sbin/freeradius start -X and try to
login on the switch I get this:
# Output from FreeRadius -X startup #
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Kerberos
krb5: keytab = "/etc/krb5.keytab"
krb5: service_principal = "radius/rofe.one.com"
rlm_krb5: krb5_init ok
Module: Instantiated krb5 (krb5)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
#####
And when I try to login from HP-switch with:
user: rofe
password: 123456
# Output from FreeRadius -X when login attempted #
rad_recv: Access-Request packet from host 192.168.212.4:2841, id=59,
length=94
User-Name = "rofe"
User-Password = "123456"
NAS-IP-Address = 192.168.212.4
NAS-Identifier = "ProCurve2650"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Message-Authenticator = 0x4bb4032f84e185d55eb0f3683b0ab051
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_unix: [rofe]: invalid password
modcall[authenticate]: module "unix" returns reject for request 2
modcall: leaving group authenticate (returns reject) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 59 to 192.168.212.4 port 2841
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 59 with timestamp 48fd9cdd
Nothing to do. Sleeping until we see a request.
#####
This says that my realm is not found at all:
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
And when I try to login from HP-switch with:
user: rofe(a)ONE.COM
password: 123456
# Output from FreeRadius -X when login attempted #
rad_recv: Access-Request packet from host 192.168.212.4:2841, id=58,
length=102
User-Name = "rofe(a)one.com"
User-Password = "123456"
NAS-IP-Address = 192.168.212.4
NAS-Identifier = "ProCurve2650"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Message-Authenticator = 0x56710301a172a54c62ae1441046e0b4e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "one.com" for User-Name = "rofe(a)one.com"
rlm_realm: No such realm "one.com"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
modcall[authenticate]: module "unix" returns notfound for request 1
modcall: leaving group authenticate (returns notfound) for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 58 to 192.168.212.4 port 2841
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 58 with timestamp 48fd9c82
Nothing to do. Sleeping until we see a request.
#####
This says that my realm ONE.COM is not found:
rlm_realm: Looking up realm "one.com" for User-Name = "rofe(a)one.com"
rlm_realm: No such realm "one.com"
If I try with my local linux user rofe/password I get this output:
# Output from HP-switch #
Please Enter Login Name: rofe
Please Enter Password:
Access denied: no user's privilege level supplied by the RADIUS server
# Output from FreeRadius -X when login attempted #
rad_recv: Access-Request packet from host 192.168.212.4:2841, id=64,
length=94
User-Name = "rofe"
User-Password = "<password removed>"
NAS-IP-Address = 192.168.212.4
NAS-Identifier = "ProCurve2650"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Message-Authenticator = 0x05c11e9f7c12361b373504a377975f99
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 7
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 7
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 7
modcall: leaving group authorize (returns ok) for request 7
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
modcall[authenticate]: module "unix" returns ok for request 7
modcall: leaving group authenticate (returns ok) for request 7
Sending Access-Accept of id 64 to 192.168.212.4 port 2841
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 7 ID 64 with timestamp 48fd9d9c
Nothing to do. Sleeping until we see a request.
#####
Where FreeRadius seems to accept me?:
Sending Access-Accept of id 64 to 192.168.212.4 port 2841
But it still can't find my realm:
rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL
rlm_realm: No such realm "NULL"
# My Heimdal Kerberos configurations files #
# /etc/krb5.conf #
[realms]
ONE.COM = {
kdc = rofe
admin_server = rofe
}
###############
HP-switch configuration
###############
radius-server host 192.168.212.93
radius-server key 123456
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication login privilege-mode
###############
Debugging
###############
I have tried to debug it myself using these guidelines:
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#Debugging_it_yours…
Step 7-8 gives me:
root@rofe:/etc/freeradius# radtest bob bob localhost 0 testing123
Sending Access-Request of id 134 to 127.0.0.1 port 1812
User-Name = "bob"
User-Password = "bob"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=134,
length=32
Reply-Message = "Hello, bob"
If I try with my Kerberos user I get this:
root@rofe:/etc/freeradius# radtest rofe 123456 localhost 0 testing123
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "rofe"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=152,
length=20
And if I try with my local linux user I get this:
root@rofe:/etc/freeradius# radtest rofe <password removed> localhost 0
testing123
Sending Access-Request of id 162 to 127.0.0.1 port 1812
User-Name = "rofe"
User-Password = "<password removed>"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=162,
length=20
####################
It looks to me that FreeRadius is not using Kerberos to authenticate
users? It cant seem to find the realm, I have even tried to make another
user, with a username different of my local linux user, but I get the
same error, that the realm ONE.COM is not found.
As said in the beginning, I have searched the internet and read a lot,
but can't find anything useful.
Any help to get this to work is appriciated!
- Ronni
3
3
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved.
The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request.
I am running RHEL 4 . the server has two ethernet card..eth0 for client authentication, eth1 with DNS, iptables.
here the debug output:
#netstat -a
netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32769 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 localhost.localdomain:783 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 svr1.marind.com:domain *:* LISTENvr
tcp 0 0 192.168.0.10:domain *:* LISTEN
tcp 0 0 localhost.localdomai:domain *:* LISTEN
tcp 0 0 localhost.localdomain:ipp *:* LISTEN
tcp 0 0 *:squid *:* LISTEN
tcp 0 0 localhost.localdomain:smtp *:* LISTEN
tcp 0 0 localhost.localdomain:rndc *:* LISTEN
tcp 0 0 *:microsoft-ds *:* LISTEN
tcp 0 0 svr1.marind.com:32858 10.subnet125-160-16.ak:http ESTABLISHED
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:32769 *:*
udp 0 0 *:32772 *:*
udp 0 0 svr1.marind:netbios-ns *:*
udp 0 0 192.168.0.10:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 s1.marin:netbios-dgm *:*vr
udp 0 0 192.168.0.1:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 192.168.0.10:radius *:*
udp 0 0 192.168.0.1:radius-acct *:*
udp 0 0 192.168.0.10:1814 *:*
udp 0 0 srv1.marind.c:domain *:*
udp 0 0 192.168.0.10:domain *:*
udp 0 0 localhost.locald:domain *:*
udp 0 0 *:icpv2 *:*
udp 0 0 *:958 *:*
udp 0 0 *:bootps *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:ipp *:*
udp 0 0 *:32770 *:*
raw 0 0 *:icmp *:*
#radiusd -X
FreeRADIUS Version 2.0.4, for host i686-pc-linux-gnu, built on May 15 2008 at 21:44:23
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
netmask = 32
require_message_authenticator = no
secret = "testing123"
shortname = "svr1.marind.com"
nastype = "portslave"
}
client 192.168.0.0/24 {
require_message_authenticator = no
secret = "testing123-1"
shortname = "sb"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "Mars123"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.0.10
port = 0
}
listen {
type = "acct"
ipaddr = 192.168.0.10
port = 0
}
Listening on authentication address 192.168.0.10 port 1812
Listening on accounting address 192.168.0.10 port 1813
Listening on proxy address 192.168.0.10 port 1814
Ready to process requests.
_________________________________________________________________
4
8
21 Oct '08
Hi
I am trying to use EAP-TLS between wpa_supplicant and freeradius. I created the
certificates (ca/server/client) as mentioned in
freeradius-server-2.0.5/raddb/certs/README. In
freeradius-server-2.0.5/raddb/users, following line is added at end: testuser
Cleartext-Password := "password"
On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following contents:
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/testuser(a)example.com.pem"
private_key="/usr/local/etc/raddb/certs/client.key"
private_key_passwd="whatever"
}
Executed wpa_supplicant (eapol_test) with following command (wpa_supplicant side
logs are after radius logs at end):
eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
On executing /usr/local/sbin/radiusd -X, I get following log and error too:
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0, length=124
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x267673582677771a69809cb3876d58ea
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0x267673582677771a69809cb3876d58ea
Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735827747e1a69809cb3876d58ea
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2, length=236
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202006b0d0016030100600100005c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca
77a38aaea1b9788b532d00003400390038003500160013000a00330032002f006600050004006300
62006100150012000900650064006000140011000800060003020100
State = 0x2676735827747e1a69809cb3876d58ea
Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 107
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a7], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 32770
EAP-Message =
0x010304000dc000000b70160301004a0200004603014874ff7af840e0ce0c0562387841cbf363e6
be64f8dd2def0915579fb271a7d320bc89e200ccdb1ad9ae9498442013c69878623fb1e470357891
b9df6651cbf029003901160301085e0b00085a0008570003a6308203a23082028aa0030201020201
01300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d06035504
0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c
4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d70
6c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d303830
3730393138313131375a170d3039303730393138313131375a307c310b3009060355040613024652
310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e
312330210603550403131a4578616d706c6520536572766572204365727469666963617465312030
1e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a
864886f70d01010105000382010f003082010a0282010100c296eb2d169b654435a174fd8ead1b26
d65b1298d9a7bcc561a051d2b667
EAP-Message =
0x28a6c693620ce3c06c032ebe4dbeedff9020f24d06430433091b7e9762575c12fdb988ad5d6dfe
e570df9a0aa1ce55de2d308c162bbcf917c8441071ea895cfb102721f2a5059f402317457a104650
b4fea1975e04fb83fc4d0a2cf72167830d5281398c981ac2f27370a34aa49b07e007fa955ebf187a
8fd476174e7493ffa02bf466b07846382b4eaf03551fef5ca60ab3fc3aa19983aeb5015147ed3317
f659f0355a43091eb19ab0c4a8d07651627d1fad596cc5ee44fa2ccfcd92d6c63d778a9d958a6ca4
a02409c546d3b8400928e1b635c26ef5ab7fc54b68b8aa2e98b2830203010001a317301530130603
551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d01010405000382010100095935837d63c395fca941ae947c03fa
c66f843b37c9969c2f46cb8b26348bfbd6348ac0d13b6a752886f1e83579122942dd8d0ab6b27578
49735dccfd82d06d3a07d1a2de3097c76cbb431042062e26df240d5d40ada6bc999bade14ebc0661
362f9a7f8644943e78a29e329c67ec32cf393205408021e56e461ce3320127b27df474f4c37be7cc
cf46754c32ee8243500a194759ba6c5b2fcd563117b2ea94b9c63eb1678ff836afd92118a98b93fc
51992e9de619a9c7576fe3cae6a1e9988a2b10b0685ca7e58e5b100ec0817d511f34f59f794bcde2
5c247259a57ab8b1d686fce7c7cd
EAP-Message = 0x3f8d16472d4a3eb1ee492fd3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735824757e1a69809cb3876d58ea
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=3, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0x2676735824757e1a69809cb3876d58ea
Message-Authenticator = 0x86f3e31b265162f7716d461a9aae98f2
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 32770
EAP-Message =
0x010404000dc000000b70bf312a81c68194ac03b073abf2410004ab308204a73082038fa0030201
02020900ac4ad85feeea230a300d06092a864886f70d0101050500308193310b3009060355040613
024652310f300d060355040813065261646975733112301006035504071309536f6d657768657265
31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d0109011611
61646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274
6966696361746520417574686f72697479301e170d3038303730393138313131325a170d30383038
30383138313131325a308193310b
EAP-Message =
0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309
536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86
4886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d
01010105000382010f003082010a0282010100ccff47e75ebf3d06a9472810c0352b254cca71cbb5
2cb8202d29ae967c715640e4d2b6c3e60641c4d54fdc03fe6ebdfb1953dc1b8c1f44202cf488249d
37f2b7902efdf546fabb283a9653
EAP-Message =
0xfa065f9b063843f36456ac437df7cefeaad4d44004939d63ae9c4df03f1b856d8340ab4e6317a1
11aecfd860639f0056069404c4d2f9f10e9048b10f4bd65dfe2a61470543b7b323895dfbb54053f8
4cb0417f5eafdf8aa236a2afea06047be624e1f7b85e757be3749e6946439ad4e85de0d4f66f35e1
a4ee8258727033035877b43232c0697a2baf3d09e8aa337366b1cbbccf72a509b977d426d546c7b1
65f873308f0a6964f430ee01b74cc0a561d9869fd84f0203010001a381fb3081f8301d0603551d0e
041604141c71c3ab8dbd86f36bbf4b24d5b72d291bc88aaf3081c80603551d230481c03081bd8014
1c71c3ab8dbd86f36bbf4b24d5b7
EAP-Message =
0x2d291bc88aafa18199a48196308193310b3009060355040613024652310f300d06035504081306
5261646975733112301006035504071309536f6d65776865726531153013060355040a130c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e
636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72
697479820900ac4ad85feeea230a300c0603551d13040530030101ff300d06092a864886f70d0101
05050003820101005925971768cfc1bb8f4b1dd4b9d0abd84cca91dc19d344451da159ae0925f192
4022b20ea548d56947a26c987dc0
EAP-Message = 0xfb36d1078bef2f36de91d2b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735825727e1a69809cb3876d58ea
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=4, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060d00
State = 0x2676735825727e1a69809cb3876d58ea
Message-Authenticator = 0xd88cda63a2776910572007659978dff0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 32770
EAP-Message =
0x0105038e0d8000000b7083ce8bd2a2e5a3df721979638d83518a19e079bf804773b82753a039b6
b053a357acb9d1954ecb25330390d4d54583a6fdeb74f039f492238f8d93bdc53d3acc2366af2771
253c218dbc3a006b911f1e4bb6fd491b99ed05b1520cf14d08d12119b177f754cae89d065edb4868
0f35d8df3c0e7fcec9c6e84d52a1136f7a56a90f539addc1ad3c44e25de731f0443844dbfe83d043
2ad61f7ed89184a407e0b41a9ffbc0389637071d937e63e136311e467b914839fd7382c216734b1d
e93368e4fb6b2303f4160301020d0c0002090080b3afe7fd33f61741e813a2a82d3e2e44f4e3a6cb
a8ba274ff2a14cdee764e7ec4e45
EAP-Message =
0x4df9c4b18aa0bb45b4dcbe5022790ed79559ec10e6b017165192ca92ee664df49dd6de389d1eba
0400804b550239ffca80cdd27f3cc0ce1fc851463b672a8e260e415d3d3a40e8ae5102105bddc30b
8c1a3031af0bc0a78b4ea69f5e66630001020080a0cc4357af8865d129c3e7c20c4283e7a4a4c522
e23e0f3cb9b462c2923ea92c3a2781665e6d1fe4096f9832e39c33424106d2429f569da06ac67c9b
0800351a1b7c512cd541edf0a135330412dbccd37885e35ce75111476fe045e0a85c70abf40a3008
9c4d4302179e1f084bffe853b1845c99010515a1970a03a87449615a010060149cd09ea980ec82c5
5cfe09857dbb7c5811f45c64e0fe
EAP-Message =
0x9d59d03e704806e99f1cb29f0286c1015c81d7824e617a53bd69dacefe51425fec76315ad4861b
81d8aff93491a3b7a18988a9a9ee16acba071272b143c7bb8106d29ac8e6087a066498b3f47cf216
fb2a96f19d7ccd8459646ed27ce02852c2c402000778e68ec419b9f14059fea1eaaad700a5c1d71f
8ba516d820a6b0520e9a808736de80b97588f6b72b6b405b1f8a5a8779e01cd882c352aabb41e4a6
0fd2e4c64382e2a12deb09e8fb2caaa26a86aec4606044a283b9d20b0bf2637a953e8716d0b90958
aebeb9995898714edb927fb52e51c4a1a2ff1157ae26402265dbbbb03f99e23f2416030100a70d00
009f040304010200980096308193
EAP-Message =
0x310b3009060355040613024652310f300d06035504081306526164697573311230100603550407
1309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609
2a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d45
78616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735822737e1a69809cb3876d58ea
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=5,
length=1532
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020505710d0016030103950b00039100038e00038b308203873082026fa003020102020102300d
06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652
616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a45
78616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901
161161646d696e406578616d706c652e636f6d301e170d3038303730393138313132345a170d3039
303730393138313132345a3079310b3009060355040613024652310f300d06035504081306526164
69757331153013060355040a130c
EAP-Message =
0x4578616d706c6520496e632e311d301b060355040314147465737475736572406578616d706c65
2e636f6d3123302106092a864886f70d01090116147465737475736572406578616d706c652e636f
6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b510efbf58ad
201585beac3f327bba71b761612df254a3e44ffe4f5a182852e2a64d11912ca27013be01dae059ef
3d8a9b2ca7a81c9da01b2291b6e38f07339c7668c6b7ce6c936bef181c33c16d5c34e17b0c878648
bb73199645bb81febb577aff69f4881080ea593f31b5efcccebd3772dda5666a5e139a38e89b9ca1
3712462098dbfc5c526253985609
EAP-Message =
0x583e54d9d74b9b263cda9647c523d9922c1992736d176c3b869b373a9824a8c046dfd49118a90d
5c8e9504cae9209d8254c31f98c3979a307f0515e88e820c29c9092c0de6c9af76c9a1bc8eee37ae
a8d047bf8c1af257f42b550932995e5083364a7e185a62de08976e2ca45d334231109eeaf7020301
0001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104
0500038201010085cf673c6dd1deb8648e0589573c0e55e286ba9f3ef23a3882fbe024a5c54aeef5
10e96f36291f0172deb8bcf2b8ce9e6517a143c658e8fb24c80a7936138c5e6f7dda3ca8b33e4600
a1cb92c2f079793304c0ddc296c4
EAP-Message =
0x015d6d73cdae8f32eea68667d9cf33a6ad8c5e38a0ffbda541b5b789ffd0cd2b4de23592384ee2
3e154ea629f1a3743fcba443f8e6d355411d310f787d6551c413af2eccfabc2b28e9e786fd78cb32
50a0ca2cd0adf11d8045d03ea0cca6b28d5c498c0965a238b05ccf7cadc3946ee0c42d65594ca337
8ecd205c74b42b5f9c060287639e4cf76f5003ec0d3723abd391f4693556553f5aaac2684a2bb808
e2a2cf16b425c9736e1c16030100861000008200803d7d38a765634fe46cd97911bbb0826fd6bb31
7dc04dbb7ca60c2d352f4a9be2f147f261ccf2d7c5e05b85783810260ddaed3c3772fcceab264dd8
daf8a4467e6a6729a7152dabe5a4
EAP-Message =
0x4c2375c148a15096de5c28842d80507318656b36edc71772326fd6fddbc6dbb9d5476332d561de
95d1a40b59779113ada15e6b466977eb16030101060f00010201003fcdbdf9a53a3f14ce87dbc345
68e1cc53d78b24457c12a7be38fc6e07932f6a253fc07cf73579bc7dbb98eeaf91076ba912ff6fe2
f6bfc1d2803974757922cd8fa5142f870aae126053adf7b4c7456bb431a174446775b7e9f78fcfb0
925edee9a12cf5a76fc6ef7fdf983adeb3ec234d89af9e7298602df31a4febaa1c9aa039c3142ec5
7416c3771b1ae8934b1444dda9e28b932ae8ff1a22aae98ceb9f2d7a9caac9efb16c01a4cd3dadda
86513428a3bd3a11b262eaa750dc
EAP-Message =
0xd50749f461997927394171b785ff74c98d883674fc8035287993a279f1ffa72b9c4cbc6b96fcaa
d6e5daaca7bd9aca988c6a8b3c487bd1e5cc73dd3c3c59f8ec39549ebeb614030100010116030100
30f1c1d6ee34104fca2869c989529493079d85690315b83299b5d9567823fea467b507af2267dd69
305c7d35d7809adf12
State = 0x2676735822737e1a69809cb3876d58ea
Message-Authenticator = 0xcc6ace4662072c78666cb7d873d7a354
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate
--> verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 5 to 127.0.0.1 port 32770
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5.
Going to the next request
Waking up in 4.4 seconds.
Cleaning up request 0 ID 0 with timestamp +4
Cleaning up request 1 ID 1 with timestamp +4
Cleaning up request 2 ID 2 with timestamp +4
Cleaning up request 3 ID 3 with timestamp +4
Waking up in 0.1 seconds.
Cleaning up request 4 ID 4 with timestamp +4
Waking up in 0.2 seconds.
Cleaning up request 5 ID 5 with timestamp +5
Ready to process requests.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
wpa_supplicant logs (copying only FAILURE logs seen at end)
++++++++++++++++++++++++++++++++++++++++++++++++++++++
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=5 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 05 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 7a 61 25 5b 8e cd 44 3b 18 b1 af e3 82 fd 32 5d
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request,
round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 2
FAILURE
Regards,
Gaurav Kansal
3
5
dude, can you forward this to scott, i dont have any of his emails in gmail
for some strange reason.
shot,
g.
---------- Forwarded message ----------
From: Christo Smith (C) <SmithC(a)telkom.co.za>
Date: Tue, Oct 21, 2008 at 8:52 AM
Subject: RE: recover lvm
To: Graeme Crawford <graeme.crawford(a)gmail.com>
Hi Grame,
Please send this to Scott
Christo Smith
Telkom - ISP
Tel: 012 680 7001 Fax: 088 012 324 5693 (please use the fine option)
eMail:* **smithc(a)telkom.co.za*
TelkomInternet technical support center 10215 or support(a)telkomsa.net
TelkomInternet commercial - iDirect 10215
CyberTrade support center 0800578578
------------------------------
*From:* Graeme Crawford [mailto:graeme.crawford@gmail.com]
*Sent:* 20 October 2008 06:46 PM
*To:* Francois Pieterse (F); erick(a)staff.telkomsa.net; Christo Smith (C)
*Subject:* recover lvm
Hi,
dd if=/dev/null of=/block/device bs=512 count=1, then run restore, then
rescan your luns that should sort you out, first test this though ie: pv,
vg,lv with data then parted the disk, then try recover, we did this not to
long ago at a client and it sorted their issue out.
lemme know if your try it.
g.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is subject to the Telkom SA electronic communication legal
notice, available at :
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1
0
I'm getting ready to implement EAP-TLS for 802.1x port authentication. Everything works great in my testing environment and I'm very happy with it. However, before we roll it out into production, I must write a set of recovery procedures. In these procedures I need to include a section on the (admittedly very rare) chance that authentications start failing across the board for some reason - for example, if we accidently let a bunch of the user certificates expire, all of those machines will fail port-authentication until the certificates are replaced. My management would like a way to force authorization to succeed even if EAP has actually failed.
My thought is to use a module that really does nothing but authenticate and authorize everything it sees. I've investigated the rlm_always, rlm_exec and rlm_perl modules but I can't seem to figure out how to do anything but report "handled" or "ok." This does not seem to result in an Access-Accept message being sent.
Any suggestions?
I'm using the latest FreeRadius 2 - the config files are unchanged except for the eap.conf (to specify the Root cert and server cert) and I am using a sparse sites-enabled file:
client x.x.x.x {
secret = secret
server = EAP_Server
}
server EAP_Server {
authorize {
eap
}
authenticate {
eap
}
7
22
Hi,
I am very new to radius and need help to confirm the following.
I have an existing radius server running on Cisco ACS 4.2. In the current
configuration, all users are configured using priv ID 15. I wanted to setup
a proxy radius, where the proxy will relay an authentication and
authorization request to the Cisco ACS, but when relaying back the
authentication and authorization message back to the clients, I want to
overwrite the priv ID with something other than 15 (for eg, user XXX -> priv
14, user YYY -> priv10, etc).
Is there a way for me to do that? Or is this behavior is actually prohibited
by the standards?
Thanks in advance,
LMR
2
1
Hi Ivan,
Actually there are two attributes, and the values of attributes are not
static - they vary based on the NAS-IDentifider attribute values.
(I can set up VSA to send static values - just the dynamic part, I dont have
good ideas).
Thanks for the help.
BC
<freeradius-users(a)lists.freeradius.org>
>If it's just one attribute why bother with VSA. Use Reply-Message.
>Create DEFAULT entries in users file to send replies.
>Ivan Kalik
>Kalik Informatika ISP
Dana 20/10/2008, "A BlueCoder" <[EMAIL PROTECTED]> piše:
>On Mon, Oct 20, 2008 at 12:09 AM, A BlueCoder <[EMAIL PROTECTED]>wrote:
>
>> Hi,
>>
>> I have a need to implement Vendor-Specific Attributes using a FreeRadius
>> approach (version 0.9.3 on Solaris).
>>
>> I understand probably rewriting a rml module would solve this problem and
>> probably the most effective way. However, given the shortage of time, i
>> would like to explore configuration options (without code writing) if
>> possible.
>>
>> Here are the requirements:
>>
>> 1. Access-Request Requests;
>>
>> 2. Request Attributes -- with VSA (implemented with a Vendor-specific
>> dictionary).
>>
>> 3. Response Attributes -- with VSA (implemented with a Vendor-specific
>> dictionary).
>>
>> 4. There is a map from attributes in (2) to (3), which is what i am
trying
>> to implement.
>>
>> e.g.
>>
>> If the request NAS-IP-Address = 111.111.111.111, i would like to
response
>> with attribute: VSA1 = 10000001,
>> If the request NAS-IP-Address = 111.111.111.112, i would like to
>> response with attribute: VSA1 = 10000002,
>> If the request NAS-IP-Address = 111.111.111.113, i would like to
>> response with attribute: VSA1 = 10000003,
>> If the request NAS-IP-Address = 111.111.111.114, i would like to
>> response with attribute: VSA1 = 10000004,
>>
>> etc....
>>
>> What's the best way which i can configur without writing a full-fledge
rlm
>> module?
>>
>> Thanks in advance,
>>
>> BC
>>
>>
>>
>>
>
>
2
1