Have some questions - new to FreeRadius
Greetings all.. Overview Our local network folks have a FirePass VPN to allow external access to an application. We are needing to setup a Radius server to authenticate to the FirePass VPN appliance. Testing. I have FreeRadius 1.1.7 set up on a zone on a Solaris 10 box and have begun testing.. This zone will only do this one task.. (Packages installed from SunFreeware - Blastwave FreeRadius package is 1.01) - Going through the output from /local/sbin/radiusd -X - Tested with radtest test test localhost 0 testing123 One error - Although this might be normal Output Sending Access-Request of id 169 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=169, length=20 --------------- I am also reading the entire radiusd.conf file to get familiar with the settings. Per the FAQ it *looks* like I need to use CHAP for authentication but have currently not gotten any farther than that. Sent an email to F5 (makers of FirePass) requesting information as to what protocol the "Radius" setting is expecting.. If anyone has any input if this combination will work,
- Going through the output from /local/sbin/radiusd -X
You didn't post the output.
- Tested with radtest test test localhost 0 testing123 One error - Although this might be normal Output Sending Access-Request of id 169 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=169, length=20
Where is the user/pass entry? Users file? Somewhere else? Post that too. Ivan Kalik Kalik Informatika ISP
I have not yet created the users file, just using the default one for testing.. It is the standard client.conf (apologize if this is not what you are asking for) Some additional notes: All user accounts /passwords will be on the Radius Server, FirePass just talks to the Radius server. Here is the output from /local/sbin/radiusd -X --- sm1gw1# /local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
more output This came after the service was running a while.. --- Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 246 to 127.0.0.1 port 33184 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 246 with timestamp 4811f1f3 Nothing to do. Sleeping until we see a request. ---
Server needs a username and password stored somewhere in order to compare with ones in the request. It doesn't work without it. Add entry for you test user to users file and try again. Ivan Kalik Kalik informatika ISP Dana 25/4/2008, "thekat" <thekewlcat@gmail.com> piše:
I have not yet created the users file, just using the default one for testing.. It is the standard client.conf (apologize if this is not what you are asking for)
Some additional notes: All user accounts /passwords will be on the Radius Server, FirePass just talks to the Radius server.
Here is the output from /local/sbin/radiusd -X --- sm1gw1# /local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
I am still wading through the docs.. and trying to get my head wrapped around the settings.. Also, still waiting on a response from F5 to see what type of Radius Authentication is used by the FirePass appliance.. Hoping it is CHAP.. Appreciate the response.. Charles 2008/4/25 Ivan Kalik <tnt@kalik.net>:
Server needs a username and password stored somewhere in order to compare with ones in the request. It doesn't work without it. Add entry for you test user to users file and try again.
Ivan Kalik Kalik informatika ISP
For VPN it's usually mschapv2. Whatever it is (pap, chap, mschap) it will work with cleartext passwords. Read instructions in users file. That's all you will need - default configuration will work for those protocols. Apart from that you only need to enter details of your VPN server in clents.conf. If you are thinking about using sql database to store user details read sql.conf and SQL Howto on the wiki. If you are thinking about using ldap have a look at ldap section in radiusd.conf, rlm_ldap on the wiki and ldap.attrmap file. Ivan Kalik Kalik Informatika ISP Dana 25/4/2008, "thekat" <thekewlcat@gmail.com> piše:
I am still wading through the docs.. and trying to get my head wrapped around the settings..
Also, still waiting on a response from F5 to see what type of Radius Authentication is used by the FirePass appliance.. Hoping it is CHAP..
Appreciate the response.. Charles
2008/4/25 Ivan Kalik <tnt@kalik.net>:
Server needs a username and password stored somewhere in order to compare with ones in the request. It doesn't work without it. Add entry for you test user to users file and try again.
Ivan Kalik Kalik informatika ISP
Ivan.. Much thanks for the reply and the very helpful recommendations.. We will only have about 100 users (very low utilization) so sql probably won't be needed.. I will be working on this tomorrow.. Charles 2008/4/25 Ivan Kalik <tnt@kalik.net>:
For VPN it's usually mschapv2. Whatever it is (pap, chap, mschap) it will work with cleartext passwords. Read instructions in users file. That's all you will need - default configuration will work for those protocols. Apart from that you only need to enter details of your VPN server in clents.conf.
If you are thinking about using sql database to store user details read sql.conf and SQL Howto on the wiki. If you are thinking about using ldap have a look at ldap section in radiusd.conf, rlm_ldap on the wiki and ldap.attrmap file.
Ivan Kalik Kalik Informatika ISP
Dana 25/4/2008, "thekat" <thekewlcat@gmail.com> piše:
I am still wading through the docs.. and trying to get my head wrapped around the settings..
Also, still waiting on a response from F5 to see what type of Radius Authentication is used by the FirePass appliance.. Hoping it is CHAP..
Appreciate the response.. Charles
2008/4/25 Ivan Kalik <tnt@kalik.net>:
Server needs a username and password stored somewhere in order to compare with ones in the request. It doesn't work without it. Add entry for you test user to users file and try again.
Ivan Kalik Kalik informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Ivan Kalik -
thekat