trigger an Access Challenge
Hello! I want to test a radius client with the freeradius server. Access Requests and Replies works fine, but although I searched this mailing list and several websites I still have no idea how to trigger an Access Challenge. It would be very nice, if somebody could tell me how I have to configure freeradius, so that it sends an access challenge to my client. Thanks in advance Regards, Ronny
I want to test a radius client with the freeradius server. Access Requests and Replies works fine, but although I searched this mailing list and several websites I still have no idea how to trigger an Access Challenge. It would be very nice, if somebody could tell me how I have to configure freeradius, so that it sends an access challenge to my client.
Send a request for an authentication protocol that requires multiple server-client exchanges (like EAP). If server needs more information from the client it will respond with the challenge. Ivan Kalik Kalik Informatika ISP
Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge. That is why I tried to create the challenge with the help of the perl module. Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!? sub authenticate { # For debugging purposes only &log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } else { # send the challenge $RAD_REPLY{'State'} = "challenge"; $RAD_REPLY{'Reply-Message'} = "challenge: "; $RAD_CHECK{'Response-Packet-Type'} = "Access-Challenge"; return RLM_MODULE_HANDLED; } } If I'm not completely wrong, it's the same that worked for this guy: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47425.h... But the server doesn't send the reply to the client (Timeout at clientside) -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+voigt=bi-web.de@lists.freeradius.org [mailto:freeradius-users-bounces+voigt=bi-web.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Dienstag, 24. Februar 2009 00:07 An: FreeRadius users mailing list Betreff: Re: trigger an Access Challenge
I want to test a radius client with the freeradius server. Access Requests and Replies works fine, but although I searched this mailing list and several websites I still have no idea how to trigger an Access Challenge. It would be very nice, if somebody could tell me how I have to configure freeradius, so that it sends an access challenge to my client.
Send a request for an authentication protocol that requires multiple server-client exchanges (like EAP). If server needs more information from the client it will respond with the challenge. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge.
So what is client going to do with the challenge when it gets it?
That is why I tried to create the challenge with the help of the perl module Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!?
Post the debug. Maybe server *did* send the challenge but client doesn't know what to do with it. Ivan Kalik Kalik Informatika ISP
The challenge is outputted to the user that triggered the challenge, expecting that he can answer it. I have no idea if the productive system ever will send a challenge and if how it will looks like. I just wanted to test out client, if it can handle it. -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+voigt=bi-web.de@lists.freeradius.org [mailto:freeradius-users-bounces+voigt=bi-web.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Dienstag, 24. Februar 2009 18:31 An: FreeRadius users mailing list Betreff: Re: AW: trigger an Access Challenge
Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge.
So what is client going to do with the challenge when it gets it?
That is why I tried to create the challenge with the help of the perl module Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!?
Post the debug. Maybe server *did* send the challenge but client doesn't know what to do with it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry for sending this message twice, but I forgot the debug output. --- Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge. That is why I tried to create the challenge with the help of the perl module. Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!? sub authenticate { # For debugging purposes only &log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } else { # send the challenge $RAD_REPLY{'State'} = "challenge"; $RAD_REPLY{'Reply-Message'} = "challenge: "; $RAD_CHECK{'Response-Packet-Type'} = "Access-Challenge"; return RLM_MODULE_HANDLED; } } If I'm not completely wrong, it's the same that worked for this guy: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47425.h... But the server doesn't send the reply to the client (Timeout at clientside) rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 User-Name = "radius" NAS-IP-Address = 10.0.1.131 CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "radius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry radius at line 52 modcall[authorize]: module "files" returns ok for request 0 perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1 found interpetator at address 0xb809a5f0 rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb809a5f0 modcall[authorize]: module "perl" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type "Perl" Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 perl_pool: item 0xb8181050 asigned new request. Handled so far: 1 found interpetator at address 0xb8181050 rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131 rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a rlm_perl: RAD_REQUEST: User-Name = radius rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131 rlm_perl: RAD_REPLY: Reply-Message = challenge: rlm_perl: RAD_REPLY: User-Password = pass rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair Reply-Message = challenge: rlm_perl: Added pair User-Password = pass rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb8181050 modcall[authenticate]: module "perl" returns handled for request 0 modcall: leaving group Perl (returns handled) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 Discarding duplicate request from client localhost:57004 - ID: 7 --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 Discarding duplicate request from client localhost:57004 - ID: 7 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 7 with timestamp 49a4220b Nothing to do. Sleeping until we see a request. If this makes sense to somebody, I would be thankful for an advice :-) Regards, Ronny -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+voigt=bi-web.de@lists.freeradius.org [mailto:freeradius-users-bounces+voigt=bi-web.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Dienstag, 24. Februar 2009 00:07 An: FreeRadius users mailing list Betreff: Re: trigger an Access Challenge
I want to test a radius client with the freeradius server. Access Requests and Replies works fine, but although I searched this mailing list and several websites I still have no idea how to trigger an Access Challenge. It would be very nice, if somebody could tell me how I have to configure freeradius, so that it sends an access challenge to my client.
Send a request for an authentication protocol that requires multiple server-client exchanges (like EAP). If server needs more information from the client it will respond with the challenge. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But the server doesn't send the reply to the client (Timeout at clientside)
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 User-Name = "radius" NAS-IP-Address = 10.0.1.131 CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "radius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry radius at line 52 modcall[authorize]: module "files" returns ok for request 0 perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1 found interpetator at address 0xb809a5f0 rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb809a5f0 modcall[authorize]: module "perl" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type "Perl" Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 perl_pool: item 0xb8181050 asigned new request. Handled so far: 1 found interpetator at address 0xb8181050 rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131 rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a rlm_perl: RAD_REQUEST: User-Name = radius rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131 rlm_perl: RAD_REPLY: Reply-Message = challenge: rlm_perl: RAD_REPLY: User-Password = pass rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair Reply-Message = challenge: rlm_perl: Added pair User-Password = pass rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb8181050 modcall[authenticate]: module "perl" returns handled for request 0 modcall: leaving group Perl (returns handled) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds...
That's an outdated server version. Upgrade. It works in the current version. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ronny Voigt -
tnt@kalik.net