Freeradius + LDAP + EAP-TTLS with PAP cannot login
cktan@ocesb.com.my wrote:
I've try to setup a new freeradius server for my wireless users using WPA/WPA2 with 802.1x authentication. all the clients are using secureW2 to login. FYI, I've another freeradius which is currently run for EAPOL (802.1x over L2 switch) with EAP-MD5 and it is working fine for me. After trying for 2 weeks, I'm still cannot do EAP-TTLS with PAP for wireless. However, if I configure secureW2 to user EAP-TTLS with EAP-MD5 as inner tunnel, the user is able to authenticate.You may find my config as below. Looking for your kind assistance... thanks.
Please post the debug log as suggested in the README, INSTAL, FAQ, and regularly on this list. Alan DeKok.
cktan@ocesb.com.my wrote: ..
rad_check_password: Found Auth-Type LDAP1
Why did you set that? It's breaking EAP. Read eap.conf. DO NOT SET AUTH-TYPE. This comes up so often on the list, and it's documented in so many places, that I'm don't understand why people still run into it. Alan DeKok.
Hello, i would to deploy a freeradius system with dynamic vlan assignment in a wireless LAN. Ths SSID must be unique and the VLAN must be assigned via auth-type or username. The authentication is EAP and the users are in the "users" file. How can to pass a radius attributes, like auth-type, to my wireless switch? -------------------------------------- Vincenzo Agosti --------------------------------------
Vincenzo Agosti wrote:
How can to pass a radius attributes, like auth-type, to my wireless switch?
You don't pass Auth-Type to the switch. Forget it exists, nearly everyone gets it wrong. The attributes you pass to the switch are the ones listed in the switch documentation. The attributes are configured in FreeRADIUS in the configuration files, usually the "users" file. See the file, and "man users" for examples. Alan DeKok.
Alan DeKok <aland@deployingradius.com> 7/3/2007 6:20 AM >>> Vincenzo Agosti wrote: How can to pass a radius attributes, like auth-type, to my wireless switch?
You don't pass Auth-Type to the switch. Forget it exists, nearly everyone gets it wrong. The attributes you pass to the switch are the ones listed in the switch documentation. The attributes are configured in FreeRADIUS in the configuration files, usually the "users" file. See the file, and "man users" for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cktan@ocesb.com.my wrote:
After try to remove the Auth-Type in users and let radius auto detect the method, also add in another 3 new attribute in ldif, below is the different message I get. Can you please have a look? Thanks.
modcall[authorize]: module "ldap_1x" returns ok for request 4 modcall: group Autz-Type returns ok for request 4 rad_check_password: Found Auth-Type EAP ... rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message
You forced "Auth-Type := EAP". Don't do that. Can you explain why you are setting Auth-Type when you were specifically instructed to NOT set it? Alan DeKok.
cktan@ocesb.com.my wrote: ...
However, I do notice radius only insert the login record in radpostauth but no record in radacct. If I'm using EAP-MD5 with L2 switch as NAS, a login record will be there. What make this happen?
It's in the FAQ. The NAS isn't sending accounting packets. Alan DeKok.
cktan@ocesb.com.my wrote:
I try 2 different type of wireless NASs but still didn't insert the record into table. Is that mean the wireless NAS by default do not send accounting info or do not have this kind of function?
Does the NAS documentation say it supports accounting? Alan DeKok.
cktan@ocesb.com.my wrote:
... By the way, I do notice the accounting request sent by hostapd is very basic and what should I do if i need to add more attribute?
Read the hostapd documentation.
For example, the accounting packet do not include the full username i.e. user@domain. Looking for your advice.
If the User-Name in the Access-Request was "user@domain", it looks like a bug in hostapd. If he User-Name in the Access-Request was "user", then hostapd is functioning correctly. Alan DeKok.
Hi Alan,
Read the hostapd documentation.
Nothing much the documentation about the attributes.
If the User-Name in the Access-Request was "user@domain", it looks like a bug in hostapd. If he User-Name in the Access-Request was "user", then hostapd is functioning correctly.
rad_recv: Access-Request packet from host 61.4.124.254:60144, id=54, length=277 User-Name = "user@penangfon.com" NAS-Identifier = "61test.com" NAS-Port = 0 Called-Station-Id = "00-02-6F-43-8E-E1:61test" Calling-Station-Id = "00-14-A5-D9-09-07" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0205005f15800000005517030100503b07e30a7c651d7da5bb53344e198368dc293557b110679aacb6a612f72c16624ac86033507d6dcc1db191f5534697863afc9d175a2e9f4cb96d1cc1255fe795a804624c194a2287bb1697da866b2ec9 State = 0x976fd1ef7bb6883f9eee627fc30ae656 Message-Authenticator = 0x3db378b32ca7650cb49110d4b795896d The username in Request and Accounting is different. Should be bug from hostapd.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- CK Tan IT Manager Optical Communication Engineering S/B 19, Jalan Semangat, 46200 Petaling Jaya, Selangor Darul Ehsan Tel: +60 3 76808000 EXT:1205 Fax: +60 3 76808010 H/P: +60 12 9033077 email: cktan@ocesb.com.my
Hi, cktan@ocesb.com.my wrote:
OK, I try to setup hostapd in freebsd to be my wireless NAS and configure the accounting server to my radius server. It works. Which mean the my previous NAS do not do the accounting job. Thank for your information. By the way, I do notice the accounting request sent by hostapd is very basic and what should I do if i need to add more attribute? For example, the accounting packet do not include the full username i.e. user@domain. Looking for your advice.
rad_recv: Accounting-Request packet from host 61.4.124.254:56195, id=35, length=155 Acct-Session-Id = "00000000-00000000" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "user" NAS-Identifier = "61test.com" NAS-Port = 0 Called-Station-Id = "00-02-6F-43-8E-E1:61test" Calling-Station-Id = "00-14-A5-D9-09-07" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b"
I am also setting up FreeBSD + hostapd + freeRadius and accounting... Did anybody notice, that hostapd *always* sends a NAS-Port with a value of 0 for *any* connected station? This happens for me with the hostapd 0.4.8 included with FreeBSD 6.2, as well as with hostapd 0.5.8. And it is presumably the reason, why I cannot seem to get radwho to function properly. The radutmp module seems to use a combination of NAS-Identifier and NAS-Port to differentiate it's records. When station-B associates to the AP, the radutmp record for station-A gets overwritten :-( Andreas -- Keep it icy man. I don't want to end up a corpse before my time because you were daydreaming.
Andreas Wetzel wrote:
Did anybody notice, that hostapd *always* sends a NAS-Port with a value of 0 for *any* connected station? This happens for me with the hostapd 0.4.8 included with FreeBSD 6.2, as well as with hostapd 0.5.8. And it is presumably the reason, why I cannot seem to get radwho to function properly. The radutmp module seems to use a combination of NAS-Identifier and NAS-Port to differentiate it's records. When station-B associates to the AP, the radutmp record for station-A gets overwritten :-(
Many AP's do something similar. Since the connection between the end host and the AP is wireless, there's no physical port for them to connect to. So there's no physical port to report to the RADIUS server. The solution on the RADIUS server is to have a "utmp" file with a configurable key. In this case, you would use the client MAC address. However, doing that involves re-writing the radutmp module. It also needs to be re-written to support IPv6, too. Alan DeKok.
Alan DeKok wrote:
Andreas Wetzel wrote:
Did anybody notice, that hostapd *always* sends a NAS-Port with a value of 0 for *any* connected station? This happens for me with the hostapd 0.4.8 included with FreeBSD 6.2, as well as with hostapd 0.5.8. And it is presumably the reason, why I cannot seem to get radwho to function properly. The radutmp module seems to use a combination of NAS-Identifier and NAS-Port to differentiate it's records. When station-B associates to the AP, the radutmp record for station-A gets overwritten :-(
Many AP's do something similar. Since the connection between the end host and the AP is wireless, there's no physical port for them to connect to. So there's no physical port to report to the RADIUS server.
Yes, but in the case of hostapd I believe this is a bug. Internally it assigns IDs starting at index 1, which should go into the NAS-Port attribute. But for some reason it always ends up with 0. Another issue is the Acct-Session-Id attribute, which also seems to always contain '00000000-00000000'. And if you have freeradius send an Acct-Session-Id in the Access-Accept reply using the acct_unique module, it is simply ignored by hostapd.
The solution on the RADIUS server is to have a "utmp" file with a configurable key. In this case, you would use the client MAC address.
However, doing that involves re-writing the radutmp module. It also needs to be re-written to support IPv6, too.
... and needs to be rewritten to support a string, long enough to hold the 17 character MAC-address string from the Calling-Station-Id attribute :-) Andreas -- Keep it icy man. I don't want to end up a corpse before my time because you were daydreaming.
Andreas Wetzel wrote:
Yes, but in the case of hostapd I believe this is a bug. Internally it assigns IDs starting at index 1, which should go into the NAS-Port attribute. But for some reason it always ends up with 0.
Does it track multiple connections from the same host? i.e. connect/disconnect/connect. Will the NAS port still be the same?
Another issue is the Acct-Session-Id attribute, which also seems to always contain '00000000-00000000'.
That's a definite bug.
And if you have freeradius send an Acct-Session-Id in the Access-Accept reply using the acct_unique module, it is simply ignored by hostapd.
I don't think that's possible for ANY NAS. Alan DeKok.
Alan DeKok wrote:
Andreas Wetzel wrote:
Yes, but in the case of hostapd I believe this is a bug. Internally it assigns IDs starting at index 1, which should go into the NAS-Port attribute. But for some reason it always ends up with 0.
Does it track multiple connections from the same host? i.e. connect/disconnect/connect. Will the NAS port still be the same?
hostapd maintains a chained list of station info structs. One field of which is: u16 aid; /* STA's unique AID (1 .. 2007) or 0 if not yet assigned */ This is what goes into the NAS-Port attribute. The point is, when I insert a debug printf, that outputs this aid, when the station has associated, it contains '1' for example. But to the time the RADIUS packet is sent, it is '0'. And until now, I have no idea how comes. I only found one location in the source, where aid is ever written to.
Another issue is the Acct-Session-Id attribute, which also seems to always contain '00000000-00000000'.
That's a definite bug.
Affirmative.
And if you have freeradius send an Acct-Session-Id in the Access-Accept reply using the acct_unique module, it is simply ignored by hostapd.
I don't think that's possible for ANY NAS.
I remember some document mentioning, that if the RADIUS server sends an Acct-Session-Id in the Access-Accept reply, the NAS should use this in accounting, just like it does with a User-Name from the Access-Accept. So I thought, I'd give it a try. BTW: is there any IPv6 equivalent of the Framed-IP-Address attribute? I found NAS-IPv6-Address in the dictionary files, but no Framed-IPv6-Address. Andreas -- Keep it icy man. I don't want to end up a corpse before my time because you were daydreaming.
Andreas Wetzel wrote:
I remember some document mentioning, that if the RADIUS server sends an Acct-Session-Id in the Access-Accept reply, the NAS should use this in accounting, just like it does with a User-Name from the Access-Accept.
Hmm.. maybe in RFC 2866.
So I thought, I'd give it a try.
BTW: is there any IPv6 equivalent of the Framed-IP-Address attribute? I found NAS-IPv6-Address in the dictionary files, but no Framed-IPv6-Address.
There's Framed-IPv6-Prefix. Alan DeKok.
Let's try like Yoda: Auth-Type set you do not!!!! Ivan Kalik Kalik Informatika ISP Dana 3/7/2007, "cktan@ocesb.com.my" <cktan@ocesb.com.my> piše:
Hi Alan,
After try to remove the Auth-Type in users and let radius auto detect the method, also add in another 3 new attribute in ldif, below is the different message I get. Can you please have a look? Thanks.
modcall[authorize]: module "ldap_1x" returns ok for request 4 modcall: group Autz-Type returns ok for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail for request 4 modcall: group authenticate returns fail for request 4 auth: Failed to validate the user.
New ldif : dn: uid=user, ou=People, dc=ocesb, dc=com, dc=my, dc=. mailLocalAddress: user@ocesb.com.my givenName: Tan Chee accountStatus: active radiusClass: 0x01 objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: radiusprofile objectClass: qmailUser objectClass: posixAccount objectClass: top objectClass: shadowAccount mailRoutingAddress: user@mail.ocesb.com.my mailQuotaSize: 2000000000 userPassword:: b2NlYm9sZWg= shadowLastChange: 12745 mailAlternateAddress: it@ocesb.com.my mailMessageStore: vmail/ocesb.com.my/user/Maildir/ uid: user mail: user@ocesb.com.my uidNumber: 5000 radiusGroupName: test cn: Tan Chee Keong radiusAuthType: EAP dialupAccess: Yes loginShell: /bin/false gidNumber: 5000 shadowMax: 99999 gecos: Tan Chee Keong mailHost: mailpj.ocesb.com.my homeDirectory: /home/vmail/ocesb.com.my/user sn: Keong
Alan DeKok wrote:
cktan@ocesb.com.my wrote: ...
rad_check_password: Found Auth-Type LDAP1
Why did you set that? It's breaking EAP.
Read eap.conf. DO NOT SET AUTH-TYPE.
This comes up so often on the list, and it's documented in so many places, that I'm don't understand why people still run into it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- CK Tan IT Manager
Optical Communication Engineering S/B 19, Jalan Semangat, 46200 Petaling Jaya, Selangor Darul Ehsan Tel: +60 3 76808000 EXT:1205 Fax: +60 3 76808010 H/P: +60 12 9033077 email: cktan@ocesb.com.my
I'm trying to get FreeRadius working on a Fedora Core 6 server with a view to eventually using it to authenticate against Windows Active Directory via ntlm_auth for the Janet Roaming Service. The first attempts at configuring it failed rather drastically so I went back to the beginning and I'm doing things one step at at time, making one-line changes to configs then using radtest and/or radclient to ensure it still works. I can now authenticate a users defined in users file, or in the Unix passwd file, from radtest on local machine. (i.e. the same one the server is running on). Next step is to check that I can use FreeRadius over the network by trying radclient on another machine. It doesn't work from the networked machine. I see the "invalid signature (err=2)! (Shared secret is incorrect.)" message. Debug log says to "double check the shared secret on the server". I have more than double checked it. I'm using the same shared secret on both machines. I "know" the shared secret is correct because it works from the local machine. But obviously it isn't! Because the encrypted password can't be read on the server. What can I do to make sure the shared secret truly is correct? The definitions for both hosts are identical in the clients.conf file. At one point I manually edited them to swap the names of servers while leaving the secrets the same, just in case there was some hidden unprintable character - but the new local one still worked, proving that the two entries in the clients.conf file are in fact identical. The shared secrets used in the radtest command are identical. I'm cutting and pasting the *same* radtest command in, not retyping it. To test for sure I put radclient commands in scripts on the remote machine, where they failed. Then I ftped them from the machine they failed on to the other one - where they worked! So it *has* to be the same! And if I alter it in any way there then radtest fails so its not getting a free passage just because its local. I have a horrid fear I've missed something totally obvious about how radclient works and that I'm doing something really really stupid stupid - but I can't see what. And I've been stuck here for over a week now. Any clues? From the local machine I get: =================== [ken@monstera ~]$ /usr/local/bin/radtest -d /etc/raddb username@bbk.ac.uk password server.IP.addr 122 sharedsecret Sending Access-Request of id 121 to server.IP.addr port 1812 User-Name = "username@bbk.ac.uk" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Accept packet from host server.IP.addr:1812, id=121, length=20 =================== But when I try from the remote machine I get: =================== /usr/local/bin/radtest -d /etc/raddb username@bbk.ac.uk password server.IP.addr 122 sharedsecret Sending Access-Request of id 184 to server.IP.addr port 1812 User-Name = "username@bbk.ac.uk" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=184, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [ken@ficus ~]$ /usr/local/bin/radtest -d /etc/raddb username@bbk.ac.uk password server.IP.addr 122 sharedsecret Sending Access-Request of id 246 to server.IP.addr port 1812 User-Name = "username@bbk.ac.uk" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=246, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [ken@ficus ~]$ /usr/local/bin/radtest -d /etc/raddb username@bbk.ac.uk password server.IP.addr 122 sharedsecret Sending Access-Request of id 7 to server.IP.addr port 1812 User-Name = "username@bbk.ac.uk" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=7, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ================== I strongly suspect that I am doing something stupid on the client side, because the same request works from the local server. But just in case its relevant, on the server in debug mode the failed transaction looks like this: ================== rad_recv: Access-Request packet from host client.IP.addr:32772, id=61, length=68 User-Name = "username@bbk.ac.uk" User-Password = "V\303\245\321\364Fb\334\373\275\242\203\\o6\264" NAS-IP-Address = 255.255.255.255 NAS-Port = 122 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 radius_xlat: '/var/log/radius/radacct/client.IP.addr/auth-detail-20070703' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/client.IP.addr/auth-detail-20070703 modcall[authorize]: module "auth_log" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: Looking up realm "bbk.ac.uk" for User-Name = "username@bbk.ac.uk" rlm_realm: Found realm "bbk.ac.uk" rlm_realm: Adding Stripped-User-Name = "username" rlm_realm: Proxying request from user username to realm bbk.ac.uk rlm_realm: Adding Realm = "bbk.ac.uk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched entry DEFAULT at line 20 modcall[authorize]: module "files" returns ok for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 modcall[authenticate]: module "unix" returns notfound for request 9 modcall: leaving group authenticate (returns notfound) for request 9 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 61 to client.IP.addr port 32772 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 61 with timestamp 468aaada Nothing to do. Sleeping until we see a request. ================== And a successful one looks like this - the obvious difference is that the password is in clear (though I have obfuscated it here) - as would be expected if there was no shared secret. ================== rad_recv: Access-Request packet from host server.IP.addr:32770, id=170, length=46 User-Name = "username" User-Password = "password" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 radius_xlat: '/var/log/radius/radacct/server.IP.addr/auth-detail-20070703' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/server.IP.addr/auth-detail-20070703 modcall[authorize]: module "auth_log" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "username", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "username" rlm_realm: Proxying request from user username to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched entry username at line 2 modcall[authorize]: module "files" returns ok for request 10 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 10 modcall: leaving group authorize (returns ok) for request 10 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 10 radius_xlat: '/var/log/radius/radacct/server.IP.addr/reply-detail-20070703' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/server.IP.addr/reply-detail-20070703 modcall[post-auth]: module "reply_log" returns ok for request 10 modcall: leaving group post-auth (returns ok) for request 10 Sending Access-Accept of id 170 to server.IP.addr port 32770 Finished request 10 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 170 with timestamp 468aab69 Nothing to do. Sleeping until we see a ================== Debug of startup looks like this (same in both cases obviously). I made new conf files to contain any local changes I might make & to yhelp me find my way aroudn radiusd.conf more easily - but they are just the sections of conf I might want to change pulled out and INCLUDEd back in so no substantial change: ================== /usr/local/sbin/radiusd -X -d /etc/raddb Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/bbk_fr_listen.conf Config: including file: /etc/raddb/bbk_fr_security.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/bbk_fr_mschap.conf Config: including file: /etc/raddb/bbk_fr_ldap.conf Config: including file: /etc/raddb/bbk_fr_passwd.conf Config: including file: /etc/raddb/bbk_fr_realms.conf Config: including file: /etc/raddb/bbk_fr_details.conf Config: including file: /etc/raddb/sql.conf Config: including file: /etc/raddb/bbk_fr_radutmp.conf Config: including file: /etc/raddb/bbk_fr_counters.conf Config: including file: /etc/raddb/bbk_fr_exec.conf Config: including file: /etc/raddb/bbk_fr_ippool.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/radius2.bbk.ac.uk.key" tls: certificate_file = "/etc/raddb/certs/radius2.bbk.ac.uk.pem" tls: CA_file = "/etc/raddb/certs/ct_root.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. ================== FreeRADIUS Version 1.1.5, for host i686-pc-linux-gnu, built on Mar 9 2007 at 15:07:40 The configurations are minimal: relevant entries in clients file: ================== client nnn.nnn.nnn.nnn { secret = sharedsecret shortname = monstera nastype = other } client nnn.nnn.nnn.nnn { secret = sharedsecret shortname = ficus nastype = other } ================== relevant entry in users file ================== username Auth-Type := Local, User-Password == "password" ================== As I said, authentication works for the host on which Freeradius is running, but not on the other.
participants (7)
-
Alan DeKok -
Andreas Wetzel -
Andrew Tomaszewski -
cktan@ocesb.com.my -
ken -
tnt@kalik.co.yu -
Vincenzo Agosti