------------------------------

Message: 5
Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)
From: paul trader <fliptop@igolinux.com>
To: freeradius-users@lists.freeradius.org
Subject: pap always returns noop for windows dialup authentication
Message-ID:
        <alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII


hi all - i've recently tried upgrading from v1 to v2.  on a centos 6.4 box
w/ all latest updates, i installed freeradius v2, added one username and
password to /etc/raddb/users:

test Cleartext-Password := "testing"

and the radtest command-line authentication works.  i then added one
client for our blade server to /etc/raddb/clients.conf:

client x.x.x.x {
   secret = xxxxx
   shortname = 3coms
}

substituting the correct ip and secret for the x's.

testing from my linux box w/ a modem, authentication works.  output from
radiusd -X shows all is well, my linux box receives an ip address and dns
servers.  relavant -X debug output shows:

++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok

however, when trying to authenticate from a windows box, authentication
fails.  every time.  i've tried it from a windows xp machine and 2 windows
7 machines.  the debug output always says:

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject

i've been over and over everything a dozen times, have tried changing the
windows dialup security settings to use pap only, and also have tried
adding the following line to the users file:

Auth-Type = PAP

even though everything i've read said not to do that.  still doesn't work.
the only changes i've made to the default installation are to the users
and clients.conf files.  i have spent hours searching the internet for a
similar problem/solution and come up empty.  windows boxes will not
authenticate, pap always returns noop, and the user is rejected.

am i doing something glaringly wrong, or just going plain crazy?

regards, paul


------------------------------
Hi Paul,

Your not crazy for sure. The problem authenticating with Windows boxen is that they only support MSCHAPv2…
kudos to Microsoft.

Regards,
Rui


On 23 September 2013 18:17, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to
        freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
        freeradius-users-request@lists.freeradius.org

You can reach the person managing the list at
        freeradius-users-owner@lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: FreeRadius Error " Access Rejected" Only On Some CISCO
      Switch    Ports (Alan DeKok)
   2. FreeRadius Error " Access Rejected" Only On Some CISCO Switch
      Ports (Daniel Baker)
   3. Re: FreeRadius Error " Access Rejected" Only On Some CISCO
      Switch    Ports (Daniel Baker)
   4. EAP-TLS Authentication (arvind132 .)
   5. pap always returns noop for windows dialup authentication
      (paul trader)
   6. Re: pap always returns noop for windows dialup authentication
      (Phil Mayers)
   7. Re: pap always returns noop for windows dialup authentication
      (paul trader)


----------------------------------------------------------------------

Message: 1
Date: Mon, 23 Sep 2013 09:18:28 -0400
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO
        Switch  Ports
Message-ID: <52403FA4.5090808@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Daniel Baker wrote:
>   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
>   [ldap] object not found
> [ldap] search failed

  What part of that is unclear?

> What can I try to fix the authentication issues so that all ports are being successfully authenticated ?

  Ensure that the people logging in have accounts in ldap.

  Alan DeKok.


------------------------------

Message: 2
Date: Mon, 23 Sep 2013 20:39:44 +0700
From: Daniel Baker <info@collisiondetection.biz>
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius Error " Access Rejected" Only On Some CISCO Switch
        Ports
Message-ID: <524044A0.8000800@collisiondetection.biz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed



Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through  a Cisco Small Business POE switch.


When testing authentication with a shutdown / no shutdown command  on
port fa/17  which has an IP phone connected to it we receive  the
following errors:

FREE RADIUS :

[ldap]  expand: %{User-Name} -> root
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
[ldap]  expand: dc=citlao,dc=local -> dc=citlao,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
   [ldap] object not found
[ldap] search failed
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect (  [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> root
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.

CISCO POE SWITCH:


SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down:  fa17

SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up:  fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down:  fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up:  fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)




However when we try the same test on a port  that has a PC connected to
it we do not receive such an error.

The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected.  Why would this only be the case when
a CISCO IP phone tries to authenticate?

The Cisco switch port configurations are exactly the same and are as
follows :

  dot1x max-req 1
  dot1x reauthentication
  dot1x timeout quiet-period 30
  dot1x mac-authentication mac-only
  dot1x port-control auto
  storm-control broadcast enable
  storm-control broadcast level 10
  storm-control include-multicast
  spanning-tree portfast
  macro description "no_ip_phone_desktop     | ip_phone_desktop"
  switchport trunk allowed vlan add 100
  macro auto smartport type ip_phone_desktop

What can I try to fix the authentication issues so that all ports are being successfully authenticated ?


Thanks for your assistance,

Dan















------------------------------

Message: 3
Date: Mon, 23 Sep 2013 21:01:49 +0700
From: Daniel Baker <info@collisiondetection.biz>
To: freeradius-users@lists.freeradius.org
Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO
        Switch  Ports
Message-ID: <524049CD.6030303@collisiondetection.biz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Thank you Alan I will pursue that line of inquiry further.


On 9/23/2013 8:18 PM, Alan DeKok wrote:
> Daniel Baker wrote:
>>    [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
>>    [ldap] object not found
>> [ldap] search failed
>    What part of that is unclear?
>
>> What can I try to fix the authentication issues so that all ports are being successfully authenticated ?
>    Ensure that the people logging in have accounts in ldap.
>
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>



------------------------------

Message: 4
Date: Mon, 23 Sep 2013 20:15:14 +0530
From: "arvind132 ." <arvindnb1@gmail.com>
To: freeradius-users@lists.freeradius.org
Subject: EAP-TLS Authentication
Message-ID:
        <CABNrktRU1J02n-yAmcpYj8rxq5Sg79NtUf=syrYXnj06ANk3UQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I am facing some issues with 802.1x EAP-TLS Authentication.
Please suggest any document which can help in better understanding on TLS
Authentication.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html>

------------------------------

Message: 5
Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)
From: paul trader <fliptop@igolinux.com>
To: freeradius-users@lists.freeradius.org
Subject: pap always returns noop for windows dialup authentication
Message-ID:
        <alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII


hi all - i've recently tried upgrading from v1 to v2.  on a centos 6.4 box
w/ all latest updates, i installed freeradius v2, added one username and
password to /etc/raddb/users:

test Cleartext-Password := "testing"

and the radtest command-line authentication works.  i then added one
client for our blade server to /etc/raddb/clients.conf:

client x.x.x.x {
   secret = xxxxx
   shortname = 3coms
}

substituting the correct ip and secret for the x's.

testing from my linux box w/ a modem, authentication works.  output from
radiusd -X shows all is well, my linux box receives an ip address and dns
servers.  relavant -X debug output shows:

++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok

however, when trying to authenticate from a windows box, authentication
fails.  every time.  i've tried it from a windows xp machine and 2 windows
7 machines.  the debug output always says:

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject

i've been over and over everything a dozen times, have tried changing the
windows dialup security settings to use pap only, and also have tried
adding the following line to the users file:

Auth-Type = PAP

even though everything i've read said not to do that.  still doesn't work.
the only changes i've made to the default installation are to the users
and clients.conf files.  i have spent hours searching the internet for a
similar problem/solution and come up empty.  windows boxes will not
authenticate, pap always returns noop, and the user is rejected.

am i doing something glaringly wrong, or just going plain crazy?

regards, paul


------------------------------

Message: 6
Date: Mon, 23 Sep 2013 17:52:53 +0100
From: Phil Mayers <p.mayers@imperial.ac.uk>
To: freeradius-users@lists.freeradius.org
Subject: Re: pap always returns noop for windows dialup authentication
Message-ID: <524071E5.4090709@imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 23/09/13 17:33, paul trader wrote:

> am i doing something glaringly wrong, or just going plain crazy?

It's difficult to say, because the debug you sent has all the useful
bits trimmed out - like the original packet, and the full module
processing chain.

Send a full debug, and odds are someone will spot the issue.

Most likely is that the Windows machine is sending a different format of
username e.g. DOMAIN\user, so whatever database you're doing a lookup
for the password or hash - SQL, LDAP, files - isn't matching. But that's
a guess - post the full debug.


------------------------------

Message: 7
Date: Mon, 23 Sep 2013 13:19:04 -0400 (EDT)
From: paul trader <fliptop@igolinux.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: pap always returns noop for windows dialup authentication
Message-ID:
        <alpine.DEB.2.02.1309231310440.7633@soundgarden.localdomain.local>
Content-Type: TEXT/PLAIN; charset=US-ASCII

eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:

PM:It's difficult to say, because the debug you sent has all the useful
PM:bits trimmed out - like the original packet, and the full module
PM:processing chain.

hi phil - ok, here's the full debug for a successful request:

rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37,
length=133
        User-Name = "test"
        User-Password = "testing"
        User-Password = "testing"
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        NAS-Port = 2561
        Acct-Session-Id = "167773864"
        Service-Type = Login-User
        Calling-Station-Id = "xxxxxxxxxx"
        Called-Station-Id = "xxxxxxx"
        NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 37 to x.x.x.x port 1812
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 37 with timestamp +676


and here's the full output of a failed request:

Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35,
length=121
        User-Name = "test"
        User-Password = "testing"
        NAS-IP-Address = x.x.x.x
        NAS-Identifier = "x.x.x.x"
        NAS-Port = 2561
        Acct-Session-Id = "167773862"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "xxxxxxxxxx"
        Called-Station-Id = "xxxxxxx"
        NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 35 to 64.214.93.3 port 1812
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +361

from what i can see, the successful request finds the user's entry in the
user table, but the failed request doesn't (and uses DEFAULT instead).
but the usernames passed in seem to be the same.  i don't know, we've used
freeradius for years and this is the 1st time i'm having a problem.
weird.

regards, paul


------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 101, Issue 50
*************************************************