Hi all, I am trying to authenticate netscreen 5gt from a radius server. I have done the following config on netscreen.. set auth-server "radius1" id 1 set auth-server "radius1" server-name "192.168.1.50" set auth-server "radius1" timeout 30 set auth-server "radius1" forced-timeout 60 set auth-server "radius1" radius port 1812 set auth-server "radius1" radius secret "testing123" set auth radius accounting port 1813 and on radius side..i have made a local user. net Cleartext-Password := "net" but i am not able to authenticate...Netscreen is not sending anythin to radius server..i can't see any logs in radius (running in debug mode). Kindly suggest.. Thanks, On 9/10/07, freeradius-users-request@lists.freeradius.org < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Freeradius+Active directory - router login authentciation (Turbo Fredriksson) 2. two different enable passwords. (ashish verma)
----------------------------------------------------------------------
Message: 1 Date: Mon, 10 Sep 2007 13:06:29 +0200 From: Turbo Fredriksson <turbo@dagdrivarn.se> Subject: Re: Freeradius+Active directory - router login authentciation To: freeradius-users@lists.freeradius.org Message-ID: <878x7eok3u.fsf@pumba.bayour.com> Content-Type: text/plain; charset=us-ascii
Quoting "Rakesh Jha" <rakesh@burgan.com>:
I'm far from an expert in FreeRADIUS (so take what I say with a grane of salt), but I instantly noticed this.
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls
It can't open the 'DH file' (don't quite know which one that is), but I would assume that it's some (or maybe all?) of the first three files. Do they exist? Does the freeradius daemon have the right to _read_ those files (are you running the daemon under some user _not_ root). I run (default in Debian GNU/Linux) the daemon under the 'freerad' user so this user must be able to read the files mentioned (AND have the right to access all directory paths before it).
Also, the 'check_cert_cn' is empty. If you don't use it, uncomment it in the config file. probably goes for the options 'check_cert_cn' and 'check_cert_issuer' to.
I DO use them, and my eap.conf file looks like this:
----- s n i p ----- celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list' /etc/freeradius/eap.conf check_cert_issuer = "<see below>" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" ----- s n i p -----
The 'check_cert_issuer' value is a little personal (something I wouldn't want to post to the 'Net) but is the value found in the 'subject' line when running the command:
openssl x509 -subject -noout -in <cacert>
----- s n i p ----- celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem subject= <secret> ----- s n i p -----
radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
These will probably go away once you have fixed the tls parts above...
As you have written 'as are most "helpful" pages not on freeradius.org', can you please suggest some links which guide correctly to configure radius, openssl and active directory.
I think Alan is a little 'judgmental' (wrong choice, but I can't quite get the exact translation of what I meant) if here. I would to if (since!) people don't think for them self and only follow external 'documentation' by the letter without trying to actually understand what it means...
Following ANY documentation require UNDERSTANDING! Not HOW, but WHY ('... a certain option is used with a special value').
DISCLAIMER (before Alan slaps me :): I'm in no way better my self - I'm lousy in reading documentation. I only read a little here and a little there, but I (almost) always understand the parts that I DO read :)
------------------------------
Message: 2 Date: Mon, 10 Sep 2007 17:21:34 +0530 From: "ashish verma" <ashish.scit@gmail.com> Subject: two different enable passwords. To: freeradius-users@lists.freeradius.org Message-ID: <11b554120709100451v630a635fj48f54a6660c46216@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I have radius-ldap setup for authenticating network devices.
I have small doubt here.
Is it possible to have different enable passwords for different huntgroups?
For e.g. i have 2 huntgroups. one for cisco switches and one for cisco routers and I want to have different enable passwords for both.
Currently i have only one entry for enable password and that is commom for all the cisco devices.
On 9/10/07, freeradius-users-request@lists.freeradius.org < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius+Active directory - router login authentciation (Rakesh Jha) 2. Re: Freeradius doesn't detect EAP when authenticating against MySQL (Andrew Rowson) 3. RE : LOGs of eap-tls authentication (inelec communication) 4. Re: Freeradius doesn't detect EAP when authenticating against MySQL (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Mon, 10 Sep 2007 09:21:42 +0300 From: "Rakesh Jha" <rakesh@burgan.com> Subject: RE: Freeradius+Active directory - router login authentciation To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <A928C53C7FC96746A7C07338F009DCA00C4D37@BB-MAIL.main.burgan.bnk> Content-Type: text/plain; charset="us-ascii"
Alan,
Please see the complete output of radiusd -X as following -
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain:-burgan_dom} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Cha llenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "(null)" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
As you have written 'as are most "helpful" pages not on freeradius.org', can you please suggest some links which guide correctly to configure radius, openssl and active directory.
Thanks a lot, Rakesh Jha
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, September 10, 2007 8:35 AM To: FreeRadius users mailing list Subject: Re: Freeradius+Active directory - router login authentciation
Rakesh Jha wrote: ...
After following FreeRADIUS Tutorial for AD integration I am not able to start radius daemon as it complains -
radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
I'm at a bit of a loss for why so many people are so insistent on removing all useful messages.
Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their
opinions.
If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. ------------------------------------------------------- Burgan Bank S.A.K www.burgan.com
------------------------------
Message: 2 Date: Mon, 10 Sep 2007 08:47:09 +0100 From: Andrew Rowson <freeradius@growse.com> Subject: Re: Freeradius doesn't detect EAP when authenticating against MySQL To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <b03eaa106466517b3d809c38044273f9@ticklemail.mrmen.home> Content-Type: text/plain; charset="UTF-8"
On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok < aland@deployingradius.com> wrote:
Andrew Rowson wrote:
Looking over it, it seems that a problem comes up with the MSCHAP bit:
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14
This appears to imply that there's no User-Password entry found anywhere for the user in the database. This would be correct, as the attribute in the radcheck table is set to Cleartext-Password. Anything other than Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, but Local instead, going back to my original problem.
What does the database contain? Cleartext-Password == password, or Cleartext-Password := password ?
The database contains Cleartext-Password == password. I've tried it with :=, but if I remember correctly that fails as well, with the Auth-type being set to local again. I'll see if I can get a log of that failure as well, if it'd be helpful?
Andrew
------------------------------
Message: 3 Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST) From: inelec communication <inelec_communication@yahoo.fr> Subject: RE : LOGs of eap-tls authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <60722.76768.qm@web26011.mail.ukl.yahoo.com> Content-Type: text/plain; charset="iso-8859-1"
hello, running radius in debug mode doesn't give any log file ,i meen it doesn't give logs in radiusd.log ; if you give me your result when you have rubn radiusd -X -A perhaps i can help
regards
anoop_c@sifycorp.com a ?crit :
Hi 1 I am using eap-tls authentication.My setup is working well with certificates. I am unable to get logs of user login ok or denied in the radius.log file [root@anoop sbin]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main: logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\" main: radacctdir = \"/usr/local/var/log/radius/radacct\" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = \"/usr/local/var/log/radius/radius.log\" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main: user = \"(null)\" main: group = \"(null)\" main: usercollide = no main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user = \"no\" main: nospace_pass = \"no\" main: checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \"(null)\" exec: input_pairs = \"request\" exec: output_pairs = \"(null)\" exec: packet_type = \"(null)\" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\" unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \"Password: \" gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type = yes tls: private_key_file = \"/etc/1x/07xwifi.pem\" tls: certificate_file = \"/etc/1x/07xwifi.pem\" tls: CA_file = \"/etc/1x/root.pem\" tls: private_key_password = \"password\" tls: dh_file = \"/etc/1x/DH\" tls: random_file = \"/etc/1x/random\" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list = \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \"suffix\" realm: delimiter = \"@\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \"/etc/raddb/users\" files: acctusersfile = \"/etc/raddb/acct_users\" files: preproxy_usersfile = \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username = \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. 2 I am using certificate based authentication so do i need to edit anything in the users file/ Thanks and regards Anoop
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--------------------------------- Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail