radlogin works, mobile device not
Hi everybody, I've a Problem with my freeradius installation. In the office i have access points, which will authenticate over the freeradius server. Freeradius should look in ldap for username and password. Thats what i get when i try to login with an iphone or ipad. rad_recv: Access-Request packet from host 10.119.12.3 port 1178, id=17, length=199 Message-Authenticator = 0x0842b4ee5b5b8aa8cdfd939570dc1cc3 Service-Type = Framed-User User-Name = "test.user" Framed-MTU = 1488 Called-Station-Id = "204E7FE98E93:test-int" Calling-Station-Id = "145A05C362D4" NAS-Identifier = "aptest03" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001501646f6d696e697175652e6d6f747a6574 NAS-IP-Address = 10.119.12.3 NAS-Port = 2 NAS-Port-Id = "STA port # 2" +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "test.user", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for dominique.motzet WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=test.user)) expand: dc=test,dc=local -> dc=test,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,dc=test,dc=local/Testing123 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=test.user)) rlm_ldap: checking if remote access for dominique.motzet is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "{crypt}$1$cyxWDOrg$J0RAKfQ8wiqboGuKakbNx0" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x3245453043333441393146393533443035414246463830413531433346433037 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x4633413830383632323945384445453438314645364439304239333331374342 rlm_ldap: looking for reply items in directory... rlm_ldap: user test.user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [test.user/<no User-Password attribute>] (from client aptest03 port 2 cli 145A05C362D4) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> test.user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Thx for help. MJ -- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
Yes i know. I searched felt 10 hours, but nowhere i found anything taht is setting the auth type to local. When i make radlogin it takes auth type ldap and then it works. Where could that be set? I'll search another time... Yeah i read that about a million times, that this never should be set. Thanks in advance. Best regards Am 09/07/2012 03:20 PM, schrieb Phil Mayers:
On 07/09/12 14:03, Mihajlo Joksimovic wrote:
auth: type Local
This is your problem. Something is setting Auth-Type to "Local". Search through your files/database and remove that.
Don't set Auth-Type. Let the server figure it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
On Fri, Sep 7, 2012 at 8:03 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
rad_recv: Access-Request packet from host 10.119.12.3 port 1178, id=17, length=199
EAP-Message = 0x0200001501646f6d696e697175652e6d6f747a6574
rlm_ldap: - authorize
what version is this? AFAIK the debug log for 2.x does not look like this. If you're still using 1.x, upgrade.
rlm_ldap: performing user authorization for dominique.motzet
If it's EAP you shouldn't need to use authorize in the outer tunnel So again, what version of FR did you use? What changes have you made? The default configuration should handle EAP correctly. You just need to edit sites-available/inner-tunnel to handle the inner tunnel correctly (e.g. by using LDAP for authorization) -- Fajar
ii freeradius 2.0.4+dfsg-6.61.201011221519 a high-performance and highly configurable R it's version 2.0.4. well i deactivated inner tunnel and configured everything in default. is that wrong? kind regards Am 09/07/2012 03:28 PM, schrieb Fajar A. Nugraha:
On Fri, Sep 7, 2012 at 8:03 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
rad_recv: Access-Request packet from host 10.119.12.3 port 1178, id=17, length=199 EAP-Message = 0x0200001501646f6d696e697175652e6d6f747a6574
rlm_ldap: - authorize what version is this? AFAIK the debug log for 2.x does not look like this. If you're still using 1.x, upgrade.
rlm_ldap: performing user authorization for dominique.motzet If it's EAP you shouldn't need to use authorize in the outer tunnel
So again, what version of FR did you use? What changes have you made? The default configuration should handle EAP correctly. You just need to edit sites-available/inner-tunnel to handle the inner tunnel correctly (e.g. by using LDAP for authorization)
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
On 07/09/12 14:37, Mihajlo Joksimovic wrote:
ii freeradius 2.0.4+dfsg-6.61.201011221519 a high-performance and highly configurable R
it's version 2.0.4.
It still doesn't look right. The logs look wrong. Anyway, you should upgrade to 2.1.12 at least. Start with a default config. Make small changes. Check each successful config into version control.
On Fri, Sep 7, 2012 at 8:37 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
ii freeradius 2.0.4+dfsg-6.61.201011221519 a high-performance and highly configurable R
it's version 2.0.4.
Upgrade.
well i deactivated inner tunnel and configured everything in default. is that wrong?
If you want to use EAP, it's VERY wrong. -- Fajar
Personally i want freeradius just to work with IPhones or other devices. But the debug mode doesnt show any try to connect to LDAP. rad_recv: Access-Request packet from host 10.119.12.2 port 1313, id=19, length=197 Message-Authenticator = 0xb75eef411ae5dd032df4d51d75b5174e Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Invalid user: [nadine.bosshard/<via Auth-Type = EAP>] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1313, id=19, length=197 Waiting to send Access-Reject to client aptcsvo02 port 1313 - ID: 19 Sending delayed reject for request 1 Sending Access-Reject of id 19 to 10.119.12.2 port 1313 Waking up in 4.9 seconds. Cleaning up request 1 ID 19 with timestamp +53655 Ready to process requests. rad_recv: Access-Request packet from host 10.119.12.2 port 1314, id=20, length=197 Message-Authenticator = 0x0893415ae4d24bc109a2109f68e2035b Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Invalid user: [nadine.bosshard/<via Auth-Type = EAP>] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1314, id=20, length=197 Waiting to send Access-Reject to client aptcsvo02 port 1314 - ID: 20 Sending delayed reject for request 2 Sending Access-Reject of id 20 to 10.119.12.2 port 1314 Waking up in 4.9 seconds. Cleaning up request 2 ID 20 with timestamp +53680 Ready to process requests. I now configured the whole thing new. But I dont find any entries in logs, which give me a hint what my problem with LDAP is... Thanks for the help... Mihajlo Joksimovic Am 09/07/2012 04:41 PM, schrieb Fajar A. Nugraha:
On Fri, Sep 7, 2012 at 8:37 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
ii freeradius 2.0.4+dfsg-6.61.201011221519 a high-performance and highly configurable R
it's version 2.0.4. Upgrade.
well i deactivated inner tunnel and configured everything in default. is that wrong? If you want to use EAP, it's VERY wrong.
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
On Tue, Sep 11, 2012 at 1:30 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
Personally i want freeradius just to work with IPhones or other devices.
It should. If you don't break the configuration
But the debug mode doesnt show any try to connect to LDAP.
Have you upgrade? Have you configured sites-available/inner-tunnel? Do you have line that says "ldap" inside authorize section of sites-available/inner-tunnel? -- Fajar
well i cannot update the installation because its an univention installation. i activated the sections in inner-tunnel like that. and radlogin will connect properly to ldap. when someone wants to connect via access point, it is not possible... authorize { ... # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap ... } authenticate { ... # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } ... }
On Tue, Sep 11, 2012 at 2:13 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
well i cannot update the installation because its an univention installation.
Then ask them for help.
i activated the sections in inner-tunnel like that.
(sigh) had you provided full debug log, we'd be able to see whether or not FR REALLY picks up the inner tunnel. But you didn't provide that.
and radlogin will connect properly to ldap. when someone wants to connect via access point, it is not possible...
authorize { ... # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap ... }
your debug log contradicts your statement. Either you did not have it in inner tunnel, or your default virtual server is broken so that it DOESN'T use inner tunnel.
authenticate { ... # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
If you store passwords as plain text, you won't need that. If you REALLY want to solve your problem, then listen to the suggestions. If you can't upgrade your current server, then at least setup a NEW server for testing purposes. Do what Phil suggests: Start with a default config. Make small changes. Check each successful config into version control. That way you can know where the problem is. If it's a bug in univention package version or config file, then ask them. The default FR setup should work with minimal changes. -- Fajar
Well its no univention package, its only from the univention repo. they dont like other repos in their system. Well i started with a fresh installation and made minimal changes. i put in the ap's in clients.conf, activated and configured ldap and copied the certs in the correct direction. well i also activated all the log options for better debugging. ill post two more things. the output from start with -X and the inner-tunnel. This is the output when i start with -X: root@srtcsvo04:/etc/univention/ssl# /usr/sbin/freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Nov 22 2010 at 14:36:23 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "***" nastype = "other" } client 10.119.12.1 { require_message_authenticator = no secret = "***" shortname = "aptcsvo01" nastype = "other" } client 10.119.12.2 { require_message_authenticator = no secret = "***" shortname = "aptcsvo02" nastype = "other" } client 10.119.12.3 { require_message_authenticator = no secret = "***" shortname = "aptcsvo03" nastype = "other" } client 10.119.12.4 { require_message_authenticator = no secret = "AhVeig1nai" shortname = "aptcsvo04" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "***" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_pam Module: Instantiating pam pam { pam_auth = "radiusd" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "localhost" port = 389 password = "pPWSrf5" identity = "cn=admin,dc=tcsvo,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes require_cert = "allow" } basedn = "dc=tcsvo,dc=local" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "sambaLmPassword,sambaNtPassword" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x18a2540 Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/private.key" certificate_file = "/etc/freeradius/certs/cert.pem" CA_file = "/etc/freeradius/certs/CAcert.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. and here is the inner-tunnel: root@srtcsvo04:/etc/univention/ssl# cat /etc/freeradius/sites-enabled/inner-tunnel # -*- text -*- ###################################################################### # # This is a virtual server that handles *only* inner tunnel # requests for EAP-TTLS and PEAP types. # # $Id: inner-tunnel,v 1.6 2008/03/29 21:33:12 aland Exp $ # ###################################################################### server inner-tunnel { # # Un-comment the next section to perform test on the inner tunnel # without needing an outer tunnel session. The tests will not be # exactly the same as when TTLS or PEAP are used, but they will # be close enough for many tests. # #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module, above. # unix # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # # Note that proxying the inner tunnel authentication means # that the user MAY use one identity in the outer session # (e.g. "anonymous", and a different one here # (e.g. "user@example.com"). The inner session will then be # proxied elsewhere for authentication. If you are not # careful, this means that the user can cause you to forward # the authentication to another RADIUS server, and have the # accounting logs *not* sent to the other server. This makes # it difficult to bill people for their network activity. # suffix # ntdomain # # The "suffix" module takes care of stripping the domain # (e.g. "@example.com") from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { Proxy-To-Realm := LOCAL } # # This module takes care of EAP-MSCHAPv2 authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Read the 'users' file files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf # sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user, or forcibly accept him. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Pluggable Authentication Modules. pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } # # Allow EAP authentication. eap } ###################################################################### # # There are no accounting requests inside of EAP-TTLS or PEAP # tunnels. # ###################################################################### # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf # sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Note that we do NOT assign IP addresses here. # If you try to assign IP addresses for EAP authentication types, # it WILL NOT WORK. You MUST use DHCP. # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf # sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # ldap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject } # # The example policy below updates the outer tunnel reply # (usually Access-Accept) with the User-Name from the inner # tunnel User-Name. Since this section is processed in the # context of the inner tunnel, "request" here means "inner # tunnel request", and "outer.reply" means "outer tunnel # reply attributes". # # This example is most useful when the outer session contains # a User-Name of "anonymous@....", or a MAC address. If it # is enabled, the NAS SHOULD use the inner tunnel User-Name # in subsequent accounting packets. This makes it easier to # track user sessions, as they will all be based on the real # name, and not on "anonymous". # # The problem with doing this is that it ALSO exposes the # real user name to any intermediate proxies. People use # "anonymous" identifiers outside of the tunnel for a very # good reason: it gives them more privacy. Setting the reply # to contain the real user name removes ALL privacy from # their session. # # If you want privacy to remain, see the # Chargeable-User-Identity attribute from RFC 4372. In order # to use that attribute, you will have to allocate a # per-session identifier for the user, and store it in a # long-term database (e.g. SQL). You should also use that # attribute INSTEAD of the configuration below. # #update outer.reply { # User-Name = "%{request:User-Name}" #} } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # attr_rewrite # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # attr_rewrite # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap # # If the server tries to proxy a request and fails, then the # request is processed through the modules in this section. # # The main use of this section is to permit robust proxying # of accounting packets. The server can be configured to # proxy accounting packets as part of normal processing. # Then, if the home server goes down, accounting packets can # be logged to a local "detail" file, for processing with # radrelay. When the home server comes back up, radrelay # will read the detail file, and send the packets to the # home server. # # With this configuration, the server always responds to # Accounting-Requests from the NAS, but only writes # accounting packets to disk if the home server is down. # # Post-Proxy-Type Fail { # detail # } } } # inner-tunnel server block Thanks for your help. Am 09/11/2012 09:27 AM, schrieb Fajar A. Nugraha:
On Tue, Sep 11, 2012 at 2:13 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
well i cannot update the installation because its an univention installation. Then ask them for help.
i activated the sections in inner-tunnel like that. (sigh)
had you provided full debug log, we'd be able to see whether or not FR REALLY picks up the inner tunnel. But you didn't provide that.
and radlogin will connect properly to ldap. when someone wants to connect via access point, it is not possible...
authorize { ... # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap ... }
your debug log contradicts your statement. Either you did not have it in inner tunnel, or your default virtual server is broken so that it DOESN'T use inner tunnel.
authenticate { ... # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } If you store passwords as plain text, you won't need that.
If you REALLY want to solve your problem, then listen to the suggestions. If you can't upgrade your current server, then at least setup a NEW server for testing purposes. Do what Phil suggests: Start with a default config. Make small changes. Check each successful config into version control.
That way you can know where the problem is. If it's a bug in univention package version or config file, then ask them. The default FR setup should work with minimal changes.
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
On Tue, Sep 11, 2012 at 3:29 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
Well i started with a fresh installation and made minimal changes. i put in the ap's in clients.conf, activated and configured ldap and copied the certs in the correct direction.
that's a start
This is the output when i start with -X:
good.
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
... and where's the access-request packet? It should have different log compared to the one you pasted the first time, since the config is different. ... or is it you haven't tested authentication using this readius? -- Fajar
Yes i have. Here are the two different logs, one from radlogin on the server and the the second from an iphone who wants to connect. RADLOGIN: rad_recv: Access-Request packet from host 127.0.0.1 port 46391, id=99, length=71 Service-Type = Login-User User-Name = "Administrator" User-Password = "***" NAS-IP-Address = 10.119.2.4 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Administrator", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for Administrator WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=Administrator) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,dc=tcsvo,dc=local/pPWSrf5 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (uid=Administrator) rlm_ldap: checking if remote access for Administrator is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$5eEakVq3$MQZSsqhrcB6NW/aaGYuRx." rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4139444241443137383246324236314336454541304139374238384242373245 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x4241303338423239303831394236353944463132384232444433324241443037 rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user Administrator authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type ldap auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "Administrator" with password "***" rlm_ldap: user DN: uid=Administrator,cn=users,dc=tcsvo,dc=local rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: starting TLS rlm_ldap: bind as uid=Administrator,cn=users,dc=tcsvo,dc=local/D4t6Ui2g to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user Administrator authenticated succesfully ++[ldap] returns ok Login OK: [Administrator/***] (from client localhost port 0) +- entering group post-auth ++[ldap] returns noop ++[exec] returns noop Sending Access-Accept of id 99 to 127.0.0.1 port 46391 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 99 with timestamp +1284 Ready to process requests. IPhone test: rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21, length=197 Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Invalid user: [nadine.bosshard/<via Auth-Type = EAP>] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21, length=197 Waiting to send Access-Reject to client aptcsvo02 port 1318 - ID: 21 Sending delayed reject for request 0 Sending Access-Reject of id 21 to 10.119.12.2 port 1318 Waking up in 4.9 seconds. Cleaning up request 0 ID 21 with timestamp +1333 Ready to process requests. Am 09/11/2012 10:42 AM, schrieb Fajar A. Nugraha:
On Tue, Sep 11, 2012 at 3:29 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
Well i started with a fresh installation and made minimal changes. i put in the ap's in clients.conf, activated and configured ldap and copied the certs in the correct direction. that's a start
This is the output when i start with -X: good.
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. ... and where's the access-request packet?
It should have different log compared to the one you pasted the first time, since the config is different.
... or is it you haven't tested authentication using this readius?
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
Mihajlo Joksimovic wrote:
Yes i have.
Here are the two different logs, one from radlogin on the server and the the second from an iphone who wants to connect.
1) Learn how to edit your messages. 2) READ THE MESSAGES YOU POST The answer to your problem is in the message you posted. Read it. The whole POINT of debugging mode is to READ THE OUTPUT. So... GO READ THE OUTPUT. If you don't have time to read the output, then neither do we. Alan DeKok.
On Tue, Sep 11, 2012 at 3:54 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
IPhone test: rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21, length=197 Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
There should be other lines before that. Like the ones that says it's using inner-tunnel?
rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject
Did you read that line? You have "unix" in authorize section of inner tunnel. And user nadine.bosshard is not allowed to login to the system (invalid shell). FR does the right thing. Comment-out that line in inner tunnel. Your radlogin test succeed because you don't have "unix" in authorize section of default virtual server. See how important complete debug logs are? ... and seriously, upgrade. There are many known bugs fixed since 2.0.x. And if you can edit the configuration freely by hand, you should be able to upgrade. -- Fajar
Fajar A. Nugraha wrote:
... and seriously, upgrade. There are many known bugs fixed since 2.0.x. And if you can edit the configuration freely by hand, you should be able to upgrade.
He's also doing freeradius consulting for $$. a) be competent at the job you get paid for b) pay someone else to do the job Alan DeKok.
No there are no other lines before that one. I cannot update, because univention ucs2.4 is based on lenny and FR 2.2 depends on newer packets from squeeze. Already tried that. well radlogin worked even when unix in default was active. But after i #-ed everything with unix i could login. After the login there comes the information for accepting the certificate. But after a klick for accepting there comes the loginscreen another time. output from -X: rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=74, length=197 Message-Authenticator = 0xb8f705a6d721830c471b297ff86bc1da Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for nadine.bosshard WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,dc=tcsvo,dc=local/pPWSrf5 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4431393433313746304145303337384139434535423745394230313835334233 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3944443632393938313730333033343036463342414634373331353033384646 rlm_ldap: looking for reply items in directory... rlm_ldap: user nadine.bosshard authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 74 to 10.119.12.2 port 1332 EAP-Message = 0x010100160410ce5ed62bba0b994eed20635dd85199a8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654516b5618cb11aad47c413c7ca Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=75, length=201 Message-Authenticator = 0x4ba48fcb53c68cc0e385d0d12cfad5fc Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654516b5618cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020100060319 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for nadine.bosshard WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4431393433313746304145303337384139434535423745394230313835334233 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3944443632393938313730333033343036463342414634373331353033384646 rlm_ldap: looking for reply items in directory... rlm_ldap: user nadine.bosshard authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 75 to 10.119.12.2 port 1332 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654517b67c8cb11aad47c413c7ca Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=76, length=323 Message-Authenticator = 0x32ce24190f3bd9a7fe8b5bfcba1fc4dc Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654517b67c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0202008019800000007616030100710100006d0301504f2f339bf42035c99689e4b9f5f239952eeccfc90cde3694f18e32a18a204e00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 128 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 118 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0071], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0051], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ac9], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.119.12.2 port 1332 EAP-Message = 0x0103040019c000000b2d16030100510200004d0301504f2f34362fc1262c3b636e2050c8649ca8051cd6e96e77afeacceb0b82f6b020d64590097eda15b621fa50f97c6ff690cbe70000754bfce0db0efd7bb2f58af5002f000005ff010001001603010ac90b000ac5000ac20004c5308204c1308203a9a003020102020101300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b301906035504 EAP-Message = 0x0b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081c1310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b13125443532053657276 EAP-Message = 0x6963652043656e746572311e301c060355040313157372746373766f30342e746373766f2e6c6f63616c311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30819f300d06092a864886f70d010101050003818d0030818902818100aa068e1696137a6013728212da97bde84338a84c01434740dd7c3d76e9ac208d33efef6cf5b19436e09f71aae9517ec9a79ab6386ac2cee886c4b82e306ab065799071439537013af6f32fcf103e563341e5ec03837fefb32cab3a80e085624a722dca77fb2d0881e2912d078a404708506df80f9fa5459a3846c41b3a1be8410203010001a38201363082013230090603551d130402 EAP-Message = 0x3000301d0603551d0e04160414d60b8a292f824ee8593ead12079908a996fa25ce308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f742043 EAP-Message = 0x41311e301c06092a864886f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654514b77c8cb11aad47c413c7ca Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=77, length=201 Message-Authenticator = 0xc5cd91f31beec31485c1a018cca1a538 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654514b77c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 77 to 10.119.12.2 port 1332 EAP-Message = 0x010403fc19400d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300d06092a864886f70d0101050500038201010070b8aa764d29097af2190422c618f6c5a4753df81c1ff392cb1b379de862bd338b414b5fdcdc7b8ed053df5224ec2e4e85babe4adac4a490fd663627c211c837819ae267f4d9125d19e04fc82ac089a9ab9c3a7f01be2f54ff64381d8f233dd0f4e1070221a6d9751e3f5c5f4a4d3a81c2784377ac37056e3472e64770818f741f39659163dfb5b72e44cba594acb1fc8549bbd3ca2a42eed1741fedd1fd784f88270182168861461bf8e395f33544d1d6950ccb5bd39bf31e06c7a95e3134dba44f7a EAP-Message = 0x00f72b04cb086681c2fca1497fd8842e6453e9c305971535d8ec031581b1a37c97199ed6295c692c91515b121b459421b4d320429da9eebf9fa46692560005f7308205f3308204dba003020102020900de6d547bd0d02bb7300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74 EAP-Message = 0x696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f7261 EAP-Message = 0x74652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb23aad5b224b6451b2b71d383a8fdab7fc47c1d3c01a4cbbc495530c121edf8e00206507e5c357930f32483539f43f3f4523fbc6f180225477898f1e28d89627ebeda8a0f33264ba5431b43403033b32b662913717a2ced71906fb24c710dcd2b51494c2f9f9a4cdbe655248673c6d520d3012350b8cc999d7e319bd0dc15bd28696d03c06adea3e7e45d506f342f54428c9914664b30110c85771b9b6b6d4709ba70075d85c4a96860b4 EAP-Message = 0xcbfcc9fde3fc1e69 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654515b07c8cb11aad47c413c7ca Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=78, length=201 Message-Authenticator = 0xe1657a312df473007ae4e66e5386abba Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654515b07c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 78 to 10.119.12.2 port 1332 EAP-Message = 0x0105034719006c0ac5bff0ac06e64f339336a607f02d6f89c67c8db227cf7d6dd61df083dc348a6b83d9f5a6b83186380ef5fd3ea29a95649910de04d80494fae634bd6ea242623c8a520c996d77b9e43ceaa10203010001a38201ce308201ca300f0603551d130101ff040530030101ff301d0603551d0e041604141894cd73cc0286f2e6b0ab65777f605667044a3c308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355 EAP-Message = 0x040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300b0603551d0f040403020106301106096086480186f8420101040403020007301a0603551d1104133011810f73736c40746373766f2e6c6f63616c301a0603551d1204133011810f73736c40746373766f2e6c6f63616c303806096086480186f8 EAP-Message = 0x42010d042b162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465300d06092a864886f70d01010505000382010100620c56161414e3959e61866f66eb546cd7bf45398138cfb59e89c222e518454951c9fb0bb3dee9a950d577e4d48ac79dcada6a52b9abee23756bf3af3132425af8367294e2766d119ddfa86ebf64be0ad752149a9b42762f94ddbbc9a85f338c53a9252175dea564dc6c74bcf9bfb60c63f4580e463c2c21cb0048b08f8e6a93026de80f60191ec1fe5a07074161986f7f18eb4b5e2e93b1e1b084ceed5193a264aaa275353c7d1bc13b2dce45a799727b68aa79a39073263d EAP-Message = 0xb65a905d7bab8419a963ea7f069d0c618070bb107ffd9c291baf3f3908a4fbbf9a8ca172e1f39301934bdf17939a65b9c794b7162169b2c5bceb6aaf48fa715a584c6eea1e0dd916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654512b17c8cb11aad47c413c7ca Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=79, length=403 Message-Authenticator = 0xf76ea41848db75155a999de19b0b8ab8 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654512b17c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500d01980000000c61603010086100000820080a9fa249e85b6565a5675f299fd98e7f2db6767a944b7691b5b42e738a2034e254510fa33eaa56734c708cf596d81b193ea6a1947769cb63f83fac6c2d71dd434985b3a115e8a90a68349d2dd7cca49d3cec3f32fa190b21111949bf1829bfe7dbe5bd1ac6a1c37544a1b04d81ad98f89e0806aeb827a955deefc1bdf0b60e82e1403010001011603010030341c5ed324da181fd43d39d7ed41f23724e32cb3e2e55a57da946c5691257bb74199385181f308e2e6450489745d04c9 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 208 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 198 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 79 to 10.119.12.2 port 1332 EAP-Message = 0x0106004119001403010001011603010030b213aaedf5b207d7f89aa93d1379c29e85c4c32f1927ca9318dcd335398921d3014d7ef185c94ecc6167c183f3178c37 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654513b27c8cb11aad47c413c7ca Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=80, length=201 Message-Authenticator = 0xa7658f5b5828f25d72267be5a62ee3d9 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654513b27c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020600061900 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 80 to 10.119.12.2 port 1332 EAP-Message = 0x0107002b1900170301002076cff579edcc27200d5c7a2da8010742e440dcfec3cbf4a4586062522b8feee8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654510b37c8cb11aad47c413c7ca Finished request 6. Going to the next request Waking up in 1.2 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=81, length=254 Message-Authenticator = 0xe19f6b601971918ae28622d4e1023915 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654510b37c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207003b19001703010030a363428512dd817485942d2771ad4bc57cfd522bbca80127738d56ba90b901fdc460d220b30b1e326ed6ef5392338784 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 59 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - nadine.bosshard PEAP: Got tunneled EAP-Message EAP-Message = 0x02070014016e6164696e652e626f737368617264 PEAP: Got tunneled identity of nadine.bosshard PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to nadine.bosshard PEAP: Sending tunneled request EAP-Message = 0x02070014016e6164696e652e626f737368617264 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nadine.bosshard" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for nadine.bosshard WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4431393433313746304145303337384139434535423745394230313835334233 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3944443632393938313730333033343036463342414634373331353033384646 rlm_ldap: looking for reply items in directory... rlm_ldap: user nadine.bosshard authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [nadine.bosshard/<no User-Password attribute>] (from client aptcsvo02 port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 PEAP: Processing from tunneled session code 0x15a7cd0 3 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 81 to 10.119.12.2 port 1332 EAP-Message = 0x0108002b19001703010020fd01c27653428a0b4c1b91a8c8a72745376f00967edad64c2942c892ce583c95 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654511bc7c8cb11aad47c413c7ca Finished request 7. Going to the next request Waking up in 1.2 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=82, length=238 Message-Authenticator = 0xf77a7553970336997c53b0f4dd243710 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654511bc7c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b1900170301002025cb1272fcd8494d630037f0c267cf2b860f7edfeeb4b730993de53c79e20735 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [nadine.bosshard/<via Auth-Type = EAP>] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=82, length=238 Waiting to send Access-Reject to client aptcsvo02 port 1332 - ID: 82 Sending delayed reject for request 8 Sending Access-Reject of id 82 to 10.119.12.2 port 1332 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.1 seconds. Cleaning up request 0 ID 74 with timestamp +313 Cleaning up request 1 ID 75 with timestamp +313 Cleaning up request 2 ID 76 with timestamp +313 Cleaning up request 3 ID 77 with timestamp +313 Cleaning up request 4 ID 78 with timestamp +313 Cleaning up request 5 ID 79 with timestamp +313 Waking up in 3.6 seconds. Cleaning up request 6 ID 80 with timestamp +317 Cleaning up request 7 ID 81 with timestamp +317 Waking up in 1.0 seconds. Cleaning up request 8 ID 82 with timestamp +317 Ready to process requests. Thanks for the help. Am 09/11/2012 11:06 AM, schrieb Fajar A. Nugraha:
On Tue, Sep 11, 2012 at 3:54 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
IPhone test: rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21, length=197 Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation There should be other lines before that. Like the ones that says it's using inner-tunnel?
rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Did you read that line? You have "unix" in authorize section of inner tunnel. And user nadine.bosshard is not allowed to login to the system (invalid shell). FR does the right thing. Comment-out that line in inner tunnel.
Your radlogin test succeed because you don't have "unix" in authorize section of default virtual server.
See how important complete debug logs are?
... and seriously, upgrade. There are many known bugs fixed since 2.0.x. And if you can edit the configuration freely by hand, you should be able to upgrade.
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33
On Tue, Sep 11, 2012 at 7:42 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
No there are no other lines before that one.
I cannot update, because univention ucs2.4 is based on lenny and FR 2.2 depends on newer packets from squeeze.
Well, lenny is no longer supported. That's a risk you face for using something that is end of life.
Already tried that.
I was able to build a deb package for ubuntu hardy (which is older than lenny), so it might work on lenny as well. A small change is needed (you can just apply it manually): https://github.com/fajarnugraha/freeradius-server/commit/9212890c8f6399d1901... Then follow http://wiki.freeradius.org/building/Build#Building-Debian-packages
well radlogin worked even when unix in default was active. But after i #-ed everything with unix i could login. After the login there comes the information for accepting the certificate. But after a klick for accepting there comes the loginscreen another time.
(shrug) you can either spend more time debugging yourself, or you can try upgrading, just in case it's a known and fixed bug. FWIW, these lines look weird: auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Again, it might be just a known and fixed bug. -- Fajar
Mihajlo Joksimovic wrote:
Well its no univention package, its only from the univention repo. they dont like other repos in their system.
Please edit your posts to delete unnecessary text.
ill post two more things. the output from start with -X and the inner-tunnel.
Please do NOT post configuration files, unless specifically asked. The whole POINT of debug output is for us to see the server processing packets. You haven't shown that.
This is the output when i start with -X:
root@srtcsvo04:/etc/univention/ssl# /usr/sbin/freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Nov 22 2010 at 14:36:23
Upgrade. Why are you running a version that's 4 years old? Alan DeKok.
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
Mihajlo Joksimovic -
Phil Mayers