Hi, we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf). Now I have a strange problem: When I use our local domain "radtest" and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail. How can I debug this error ? -- Bye, Peer _________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705
radiusd -X Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, "Dr.Peer-Joachim Koch" <pkoch@bgc-jena.mpg.de> piše:
Hi,
we are using one radius server for external users to get access to a 802.1x WLAN. The radius server is configured to look for the domain and only answer local request or form our domain. Everything else is forwareded to central instance (using the proxy.conf).
Now I have a strange problem: When I use our local domain "radtest" and the WLAN is working fine. When I try to use an external domain account, radtest tells OK, but using the same account for the WLAN will fail.
How can I debug this error ?
-- Bye, Peer _________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-KnĂśll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, enclose the output from radiusd -X first using radtest, the switching on the WLAN with the same useranme and password: =====================radiusd -X out================================ rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228, length=68 User-Name = "pkoch@ice.mpg.de" User-Password = "PASSWD" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: Looking up realm "ice.mpg.de" for User-Name = "pkoch@ice.mpg.de" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user pkoch to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for pkoch@ice.mpg.de radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 Sending Access-Request of id 6 to 193.174.75.134 port 1812 User-Name = "pkoch@ice.mpg.de" User-Password = "PASSWD" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x323238 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6, length=25 Proxy-State = 0x323238 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 attr_filter: Matched entry DEFAULT at line 103 modcall[post-proxy]: module "attr_filter" returns updated for request 7 modcall[post-proxy]: module "eap" returns noop for request 7 modcall: leaving group post-proxy (returns updated) for request 7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 7 modcall[authorize]: module "eap" returns noop for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for pkoch@ice.mpg.de radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall: leaving group authorize (returns ok) for request 7 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 7 modcall[post-auth]: module "ldap" returns noop for request 7 modcall: leaving group post-auth (returns noop) for request 7 Sending Access-Accept of id 228 to 141.5.16.151 port 2234 Finished request 7 Going to the next request Waking up in 6 seconds... ===========Now the same over WLAN=========================== --- Walking the entire request list --- Cleaning up request 7 ID 228 with timestamp 480f2719 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173, length=201 User-Name = "pkoch@ice.mpg.de" MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa MS-CHAP2-Response = 0x00004a15d8a0523caab6ba7b2197599aa36f0000000000000000ee86063cd18395098328358032bf767fbc1bcb2c6ce3a658 NAS-Port-Id = "2084/1" Calling-Station-Id = "00-13-CE-95-17-E8" Called-Station-Id = "00-0B-0E-33-71-80:eduroam" NAS-Port = 15439 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 141.5.16.23 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 radius_xlat: '/var/log/radius/radacct/141.5.16.23/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.23/auth-detail-20080423 modcall[authorize]: module "auth_log" returns ok for request 8 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 8 rlm_realm: Looking up realm "ice.mpg.de" for User-Name = "pkoch@ice.mpg.de" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user pkoch to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for pkoch@ice.mpg.de radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 8 modcall: leaving group authorize (returns updated) for request 8 Sending Access-Request of id 7 to 193.174.75.134 port 1812 User-Name = "pkoch@ice.mpg.de" MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa MS-CHAP2-Response = 0x00004a15d8a0523caab6ba7b2197599aa36f0000000000000000ee86063cd18395098328358032bf767fbc1bcb2c6ce3a658 NAS-Port-Id = "2084/1" Calling-Station-Id = "00-13-CE-95-17-E8" Called-Station-Id = "00-0B-0E-33-71-80:eduroam" NAS-Port = 15439 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 141.5.16.23 Proxy-State = 0x313733 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173, length=201 Ignoring duplicate packet from client gaia:20008 - ID: 173, due to outstanding proxied request 8. --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Reject packet from host 193.174.75.134:1812, id=7, length=41 Reply-Message = "Request Denied" Proxy-State = 0x313733 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 8 attr_filter: Matched entry DEFAULT at line 103 modcall[post-proxy]: module "attr_filter" returns updated for request 8 modcall[post-proxy]: module "eap" returns noop for request 8 modcall: leaving group post-proxy (returns updated) for request 8 Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 8 modcall[post-auth]: module "ldap" returns noop for request 8 modcall: leaving group REJECT (returns noop) for request 8 Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 1 seconds... Ivan Kalik schrieb:
radiusd -X
Ivan Kalik Kalik Informatika ISP
-- Mit freundlichem Gruss Peer-Joachim Koch _________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705
This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected. Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, "Dr.Peer-Joachim Koch" <pkoch@bgc-jena.mpg.de> piše:
Hi,
enclose the output from radiusd -X
first using radtest, the switching on the WLAN with the same useranme and password:
=====================radiusd -X out================================
rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228, length=68 User-Name = "pkoch@ice.mpg.de" User-Password = "PASSWD" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: Looking up realm "ice.mpg.de" for User-Name = "pkoch@ice.mpg.de" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user pkoch to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for pkoch@ice.mpg.de radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 Sending Access-Request of id 6 to 193.174.75.134 port 1812 User-Name = "pkoch@ice.mpg.de" User-Password = "PASSWD" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x323238 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 193.174.75.134:1812, id=6, length=25 Proxy-State = 0x323238 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 7 attr_filter: Matched entry DEFAULT at line 103 modcall[post-proxy]: module "attr_filter" returns updated for request 7 modcall[post-proxy]: module "eap" returns noop for request 7 modcall: leaving group post-proxy (returns updated) for request 7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/var/log/radius/radacct/141.5.16.151/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.151/auth-detail-20080423 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 7 modcall[authorize]: module "eap" returns noop for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for pkoch@ice.mpg.de radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall: leaving group authorize (returns ok) for request 7 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 7 modcall[post-auth]: module "ldap" returns noop for request 7 modcall: leaving group post-auth (returns noop) for request 7 Sending Access-Accept of id 228 to 141.5.16.151 port 2234 Finished request 7 Going to the next request Waking up in 6 seconds...
===========Now the same over WLAN===========================
--- Walking the entire request list --- Cleaning up request 7 ID 228 with timestamp 480f2719 Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173, length=201 User-Name = "pkoch@ice.mpg.de" MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa MS-CHAP2-Response = 0x00004a15d8a0523caab6ba7b2197599aa36f0000000000000000ee86063cd18395098328358032bf767fbc1bcb2c6ce3a658 NAS-Port-Id = "2084/1" Calling-Station-Id = "00-13-CE-95-17-E8" Called-Station-Id = "00-0B-0E-33-71-80:eduroam" NAS-Port = 15439 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 141.5.16.23 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 radius_xlat: '/var/log/radius/radacct/141.5.16.23/auth-detail-20080423' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.5.16.23/auth-detail-20080423 modcall[authorize]: module "auth_log" returns ok for request 8 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 8 rlm_realm: Looking up realm "ice.mpg.de" for User-Name = "pkoch@ice.mpg.de" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user pkoch to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for pkoch@ice.mpg.de radius_xlat: 'uid=_' radius_xlat: 'dc=bgc-jena, dc=mpg, dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=bgc-jena, dc=mpg, dc=de, with filter uid=_ rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 8 modcall: leaving group authorize (returns updated) for request 8 Sending Access-Request of id 7 to 193.174.75.134 port 1812 User-Name = "pkoch@ice.mpg.de" MS-CHAP-Challenge = 0x04138c9db743bfbb843010bf7f8389aa MS-CHAP2-Response = 0x00004a15d8a0523caab6ba7b2197599aa36f0000000000000000ee86063cd18395098328358032bf767fbc1bcb2c6ce3a658 NAS-Port-Id = "2084/1" Calling-Station-Id = "00-13-CE-95-17-E8" Called-Station-Id = "00-0B-0E-33-71-80:eduroam" NAS-Port = 15439 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 141.5.16.23 Proxy-State = 0x313733 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 141.5.16.23:20008, id=173, length=201 Ignoring duplicate packet from client gaia:20008 - ID: 173, due to outstanding proxied request 8. --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Reject packet from host 193.174.75.134:1812, id=7, length=41 Reply-Message = "Request Denied" Proxy-State = 0x313733 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 8 attr_filter: Matched entry DEFAULT at line 103 modcall[post-proxy]: module "attr_filter" returns updated for request 8 modcall[post-proxy]: module "eap" returns noop for request 8 modcall: leaving group post-proxy (returns updated) for request 8 Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 8 modcall[post-auth]: module "ldap" returns noop for request 8 modcall: leaving group REJECT (returns noop) for request 8 Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 1 seconds...
Ivan Kalik schrieb:
radiusd -X
Ivan Kalik Kalik Informatika ISP
-- Mit freundlichem Gruss Peer-Joachim Koch _________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, thanks, but I don't have access to this server. I'll can only do anything on our proxy. Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2. Is there anything else I can do ? Bye, Peer Ivan Kalik schrieb:
This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected.
Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted.
Ivan Kalik Kalik Informatika ISP
_________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705
Install SecureW2 and try EAP-TTLS/PAP. If that works then passwords are encrypted and PEAP won't work. Ivan Kalik Kalik Informatika ISP Dana 23/4/2008, "Dr.Peer-Joachim Koch" <pkoch@bgc-jena.mpg.de> piše:
Hi Ivan,
thanks, but I don't have access to this server. I'll can only do anything on our proxy.
Your are right, the WLAN is configured with wpa2 TKIP PEAP and ms-chap-V2.
Is there anything else I can do ?
Bye, Peer
Ivan Kalik schrieb:
This is the debug from the proxy not home server. You need a debug from the home server to see why is first one accepted and second one rejected.
Since first one was pap request and second mschap usual problem is that password stored on home server is encrypted.
Ivan Kalik Kalik Informatika ISP
_________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Dr.Peer-Joachim Koch -
Ivan Kalik