--
Cornelius Kölbel
Http://www.lsexperts.de
LSE Leading Security Experts GmbH
Tel: +49 6151 9067-252, mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill


Am 07.06.2012 um 14:36 schrieb "Morris, Andi" <amorris@cardiffmet.ac.uk>:

It pains me to send this to the list as I know I’m going to get shot down for missing something obvious, but I simply can’t think of where else I need to set this up.

I’m moving my web proxy servers from ISA to TMG and need to declare the TMG servers in my freeradius servers so that they accept NATed requests from my MS IAS servers.  I have added the new servers to /etc/raddb/clients.conf in the same way as the ISA servers were, and entered a shared secret (simple to try and help debug this).  I have then added the same servers to my clients list in MS IAS with the same shared secret.

 

The problem is that the FR server is reporting a shared secret mismatch when requests come from the new servers:

rad_recv: Access-Request packet from host 4.4.4.4 port 62463, id=1, length=211

Received packet from 4.4.4.4 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.

Going to the next request

 

I have typed and retyped the shared secret several times on both FR and IAS sides of the conversation.  Is there anywhere else in FR I need to declare the new servers that I have missed, or do I need to concentrate the efforts to the IAS servers?

Full debug output with masked details below:

FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/modules/

including configuration file /etc/raddb/modules/policy

including configuration file /etc/raddb/modules/smsotp

including configuration file /etc/raddb/modules/counter

including configuration file /etc/raddb/modules/digest

including configuration file /etc/raddb/modules/detail.log

including configuration file /etc/raddb/modules/detail

including configuration file /etc/raddb/modules/detail.example.com

including configuration file /etc/raddb/modules/realm

including configuration file /etc/raddb/modules/attr_rewrite

including configuration file /etc/raddb/modules/chap

including configuration file /etc/raddb/modules/exec

including configuration file /etc/raddb/modules/mschap

including configuration file /etc/raddb/modules/radutmp

including configuration file /etc/raddb/modules/passwd

including configuration file /etc/raddb/modules/linelog

including configuration file /etc/raddb/modules/unix

including configuration file /etc/raddb/modules/expiration

including configuration file /etc/raddb/modules/ippool

including configuration file /etc/raddb/modules/mac2vlan

including configuration file /etc/raddb/modules/mac2ip

including configuration file /etc/raddb/modules/preprocess

including configuration file /etc/raddb/modules/logintime

including configuration file /etc/raddb/modules/pam

including configuration file /etc/raddb/modules/perl

including configuration file /etc/raddb/modules/checkval

including configuration file /etc/raddb/modules/pap

including configuration file /etc/raddb/modules/attr_filter

including configuration file /etc/raddb/modules/smbpasswd

including configuration file /etc/raddb/modules/sql_log

including configuration file /etc/raddb/modules/inner-eap

including configuration file /etc/raddb/modules/expr

including configuration file /etc/raddb/modules/always

including configuration file /etc/raddb/modules/echo

including configuration file /etc/raddb/modules/etc_group

including configuration file /etc/raddb/modules/files

including configuration file /etc/raddb/modules/cui

including configuration file /etc/raddb/modules/wimax

including configuration file /etc/raddb/modules/otp

including configuration file /etc/raddb/modules/acct_unique

including configuration file /etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /etc/raddb/modules/sradutmp

including configuration file /etc/raddb/eap.conf

 

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/eduroam

group = radiusd

user = radiusd

including dictionary file /etc/raddb/dictionary

main {

        prefix = "/usr"

        localstatedir = "/var"

        logdir = "/var/log/radius"

        libdir = "/usr/lib/freeradius"

        radacctdir = "/var/log/radius/radacct"

        hostname_lookups = no

        max_request_time = 30

        cleanup_delay = 5

        max_requests = 1024

        allow_core_dumps = no

        pidfile = "/var/run/radiusd/radiusd.pid"

        checkrad = "/usr/sbin/checkrad"

        debug_level = 2

        proxy_requests = yes

log {

        stripped_names = no

        auth = no

        auth_badpass = no

        auth_goodpass = no

}

security {

        max_attributes = 200

        reject_delay = 0

        status_server = yes

}

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

        retry_delay = 5

        retry_count = 3

        default_fallback = yes

        dead_time = 120

        wake_all_if_all_dead = no

}

 

home_server server01 {

        ipaddr = x.x.x.x

        port = 1812

        type = "auth+acct"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        zombie_period = 40

        status_check = "none"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 60

        status_check_timeout = 4

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

}

home_server server02 {

        ipaddr = y.y.y.y

        port = 1812

        type = "auth+acct"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        zombie_period = 40

        status_check = "none"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 60

        status_check_timeout = 4

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

}

home_server_pool home {

        type = fail-over

        home_server = server01

        home_server = server02

}

realm home.co.uk {

        pool = home

        nostrip

}

 

realm newhome.co.uk {

        pool = home

        nostrip

}

realm LOCAL {

}

realm NULL {

}

home_server extserver00 {

        ipaddr = x.x.x.x

        port = 1812

        type = "auth+acct"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 60

        status_check_timeout = 4

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

}

home_server extserver01 {

        ipaddr = x.x.x.x

        port = 1812

        type = "auth+acct"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 60

        status_check_timeout = 4

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

}

 

home_server extserver02 {

        ipaddr = x.x.x.x

        port = 1812

        type = "auth+acct"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 60

        status_check_timeout = 4

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

}

home_server_pool ext {

        type = fail-over

        home_server = extserver00

        home_server = extserver01

        home_server = extserver02

}

realm DEFAULT {

        pool = ext

        nostrip

}

radiusd: #### Loading Clients ####

client localhost {

        ipaddr = 127.0.0.1

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "eduroam"

}

client isa1 {

        ipaddr = 1.1.1.1

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

 

client isa2 {

        ipaddr = 2.2.2.2

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

client isa3 {

        ipaddr = 3.3.3.3

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

client tmg1 {

        ipaddr = 4.4.4.4

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

client tmg2 {

        ipaddr = 5.5.5.5

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

client extserver00 {

        ipaddr = x.x.x.x

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

client extserver01 {

        ipaddr = x.x.x.x

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

 

client extserver02 {

        ipaddr = x.x.x.x

        netmask = 32

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

        virtual_server = "noname"

}

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating exec

  exec {

        wait = no

        input_pairs = "request"

        shell_escape = yes

  }

Module: Linked to module rlm_expr

Module: Instantiating expr

Module: Linked to module rlm_expiration

Module: Instantiating expiration

  expiration {

        reply-message = "Password Has Expired  "

  }

Module: Linked to module rlm_logintime

Module: Instantiating logintime

  logintime {

        reply-message = "You are calling outside your allowed timespan  "

        minimum-timeout = 60

  }

}

radiusd: #### Loading Virtual Servers ####

server eduroam {

modules {

Module: Checking authenticate {...} for more modules to load

Module: Linked to module rlm_eap

Module: Instantiating eap

  eap {

        default_eap_type = "md5"

        timer_expire = 60

       ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = 2048

  }

 

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

   gtc {

        challenge = "Password: "

        auth_type = "PAP"

   }

Module: Linked to sub-module rlm_eap_tls

Module: Instantiating eap-tls

   tls {

        rsa_key_exchange = no

        dh_key_exchange = yes

        rsa_key_length = 512

        dh_key_length = 512

        verify_depth = 0

        pem_file_type = yes

        private_key_file = "/etc/raddb/certs/server.pem"

        certificate_file = "/etc/raddb/certs/server.pem"

        CA_file = "/etc/raddb/certs/ca.pem"

        private_key_password = "whatever"

        dh_file = "/etc/raddb/certs/dh"

        random_file = "/etc/raddb/certs/random"

        fragment_size = 1024

        include_length = yes

        check_crl = no

        cipher_list = "DEFAULT"

        make_cert_command = "/etc/raddb/certs/bootstrap"

    cache {

        enable = no

        lifetime = 24

        max_entries = 255

    }

   }

Module: Linked to sub-module rlm_eap_ttls

Module: Instantiating eap-ttls

   ttls {

        default_eap_type = "md5"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        virtual_server = "inner-tunnel"

        include_length = yes

   }

 

Module: Linked to sub-module rlm_eap_peap

Module: Instantiating eap-peap

   peap {

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        proxy_tunneled_request_as_eap = yes

        virtual_server = "inner-tunnel"

   }

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

   mschapv2 {

        with_ntdomain_hack = no

   }

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_detail

Module: Instantiating auth_log

  detail auth_log {

        detailfile = "/var/log/radius/radacct/auth-detail"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

Module: Linked to module rlm_realm

Module: Instantiating suffix

  realm suffix {

        format = "suffix"

        delimiter = "@"

        ignore_default = no

        ignore_null = no

  }

Module: Checking preacct {...} for more modules to load

Module: Checking accounting {...} for more modules to load

Module: Instantiating detail

  detail {

        detailfile = "/var/log/radius/radacct/detail"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

Module: Checking pre-proxy {...} for more modules to load

Module: Linked to module rlm_attr_filter

Module: Instantiating attr_filter.pre-proxy

  attr_filter attr_filter.pre-proxy {

        attrsfile = "/etc/raddb/attrs.pre-proxy"

        key = "%{Realm}"

  }

 

Module: Instantiating pre_proxy_log

  detail pre_proxy_log {

        detailfile = "/var/log/radius/radacct/pre-proxy-detail"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

Module: Checking post-proxy {...} for more modules to load

Module: Instantiating post_proxy_log

  detail post_proxy_log {

        detailfile = "/var/log/radius/radacct/post-proxy-detail"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

Module: Instantiating attr_filter.post-proxy

  attr_filter attr_filter.post-proxy {

        attrsfile = "/etc/raddb/attrs"

        key = "%{Realm}"

  }

Module: Checking post-auth {...} for more modules to load

Module: Instantiating reply_log

  detail reply_log {

        detailfile = "/var/log/radius/radacct/reply-detail"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

} # modules

} # server

server {

modules {

} # modules

} # server

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = *

        port = 0

}

listen {

        type = "acct"

        ipaddr = *

        port = 0

}

 

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 5.5.5.5 port 35394, id=1, length=211

Received packet from 5.5.5.5 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.

Going to the next request

Waking up in 0.9 seconds.

Cleaning up request 0 ID 1 with timestamp +274

Ready to process requests.

 

Cheers for any help possible,

Andi



From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html