hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file 005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E" Tunnel-type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 15 First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and "" or no "" around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least $ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret rad_recv: Access-Accept packet from host 157.159.100.55 port 1812, id=81, length=36 Now when my HP switch tries to auth my PC which has 005004B7252E as MAC@ for it's eth0, apparently the HP sends a chap password CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 with turns radius into it's chap module and fails to Authenticate :-( Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject I'am lost. I don't know If I have to set a chap password in "users" files or anywhere else ? (how, syntax ?) or if I have to tell my HP switch not to do chap (again how ?) Thanks . details of radius -X rad_recv: Access-Request packet from host 157.159.17.138 port 1125, id=8, length=195 Framed-MTU = 1480 NAS-IP-Address = 157.159.17.138 NAS-Identifier = "Sw-C01" User-Name = "005004B7252E" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 26 NAS-Port-Type = Ethernet NAS-Port-Id = "26" Called-Station-Id = "00-1c-2e-b4-f2-66" Calling-Station-Id = "00-50-04-b7-25-2e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.17.138/auth-detail-20090429 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth-detail-20090429 [auth_log] expand: %t -> Wed Apr 29 17:28:16 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 005004B7252E attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 8 to 157.159.17.138 port 1125 Waking up in 4.9 seconds.
jehan procaccia wrote:
hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file
005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E"
Delete the "Auth-Type := Local". It doesn't do anything useful.
First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and "" or no "" around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least
The example in the FAQ and in the "users" file do NOT have Auth-Type. They DO use Cleartext-Password, and they DO use ":=". All of the third-party web sites, FAQs, etc. are 2-3 years out of date, and are wrong.
[chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication
That says it doesn't have the Cleartext-Password. ...
[files] users: Matched entry DEFAULT at line 172
So... what's at line 172? Where is the "users" file entry you added? The FAQ says to add it at the TOP of the "users" file. That works best for testing. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The example in the wiki was written *for* HP Mac-Auth http://wiki.freeradius.org/Mac-Auth You may need to change the Service-Type check to Framed-User for older firmware revisions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkn4g+AACgkQcaklux5oVKIUIACYiA0ZCYGYEQqfOQJ8MgmLz87b ZgCgiCsqc7AlH8tA1zYvYYPpgx1f8D0= =VKso -----END PGP SIGNATURE-----
Alan DeKok wrote:
jehan procaccia wrote:
hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file
005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E"
Delete the "Auth-Type := Local". It doesn't do anything useful.
OK done
First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and "" or no "" around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least
The example in the FAQ and in the "users" file do NOT have Auth-Type. They DO use Cleartext-Password, and they DO use ":=".
All of the third-party web sites, FAQs, etc. are 2-3 years out of date, and are wrong.
Indeed I was "googleling" for exemples ...
[chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication
That says it doesn't have the Cleartext-Password.
...
[files] users: Matched entry DEFAULT at line 172
So... what's at line 172? Where is the "users" file entry you added?
line 172 was DEFAULT Framed-Protocol == PPP I moved Up my user entry at the top of the user files and now it seems to work :-) Athough I didn't set any chap password anywhere in freeradius !? (perhaps because of this from http://wiki.freeradius.org/HP /Note: A hashed version of the SRC address is also available in the CHAP-Password attribute.) ?/ rad_recv: Access-Request packet from host 157.159.7.138 port 1125, id=13, length=195 Framed-MTU = 1480 NAS-IP-Address = 157.159.7.138 NAS-Identifier = "Sw-C01" User-Name = "005004B7252E" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 26 NAS-Port-Type = Ethernet NAS-Port-Id = "26" Called-Station-Id = "00-1c-2e-b4-f2-66" Calling-Station-Id = "00-50-04-b7-25-2e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x0ccbeba82a75e0762efbf021c72bd5c45a Message-Authenticator = 0x3eae4885821478bc7bbcf7e45618c453 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.7.138/auth-detail-20090429 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/157.159.7.138/auth-detail-20090429 [auth_log] expand: %t -> Wed Apr 29 19:05:06 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry 005004B7252E at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Using clear text password "005004B7252E" for user 005004B7252E authentication. [chap] chap user 005004B7252E authenticated succesfully ++[chap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 13 to 157.159.7.138 port 1125 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "15" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 13 with timestamp +37 Ready to process requests. My PC client isn't is the Vlan15 though .. it's getting late here in france ... I'll continue tomorrow ... thanks .
The FAQ says to add it at the TOP of the "users" file. That works best for testing.
Alan DeKok.
On 2009-Apr-29, at 10:26, jehan procaccia wrote:
hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file
005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E" Tunnel-type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 15
First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and "" or no "" around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least
$ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret rad_recv: Access-Accept packet from host 157.159.100.55 port 1812, id=81, length=36
Now when my HP switch tries to auth my PC which has 005004B7252E as MAC@ for it's eth0, apparently the HP sends a chap password CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 with turns radius into it's chap module and fails to Authenticate :-( Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject
I'am lost. I don't know If I have to set a chap password in "users" files or anywhere else ? (how, syntax ?) or if I have to tell my HP switch not to do chap (again how ?)
Thanks .
details of radius -X
rad_recv: Access-Request packet from host 157.159.17.138 port 1125, id=8, length=195 Framed-MTU = 1480 NAS-IP-Address = 157.159.17.138 NAS-Identifier = "Sw-C01" User-Name = "005004B7252E" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 26 NAS-Port-Type = Ethernet NAS-Port-Id = "26" Called-Station-Id = "00-1c-2e-b4-f2-66" Calling-Station-Id = "00-50-04-b7-25-2e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/ auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.17.138/auth- detail-20090429 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail- %Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth- detail-20090429 [auth_log] expand: %t -> Wed Apr 29 17:28:16 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL [suffix] No such realm "NULL"
Uncomment and edit your proxy.conf file for the NULL realm : ... realm NULL { type = radius authhost = LOCAL accthost = LOCAL secret = testing123 } ...
++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 005004B7252E attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 8 to 157.159.17.138 port 1125 Waking up in 4.9 seconds.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Guy Fraser -
jehan procaccia