Unable to setup freeradius server to authenticate from Unix username/passwords
Hello, I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable to set it up so as to authenticate incoming requests from the Unix username/passwords stored in /etc/{passwd, shadow}. Here is a description of my setup. I've setup wifi security on my wireless router to WPA-Enterprise and entered the IP address of the radius server in the router to that of a Linux machine running freeradius. Here's a description of all the changes I made to /etc/freeradius directory to even reach the point to make it partially work: 1) chown -R freerad /etc/freeradius The above is needed as Ubuntu seems to install every file there as root and thus the freeradius server which runs as user freerad isn't able to read the configuration files. 2) Modified /etc/freeradius/clients.conf to accept requests from my router's IP address. Also added the shared key testing123 there - which is the same that was put in the router while configuring it with a radius server. 3) Changed the 'group =' setting inside /etc/freeradius/radiusd.conf to make it 'shadow' to enable it to lookup /etc/shadow. 4) Uncommmented the keyword 'unix' in both /etc/freeradius/sites-enabled/{inner-tunnel,default} 5) Modified /etc/default/freeradius to pass option '-X' to the freeradius server. I've tried using both Windows 7 as well as an iPad as a client to connect using wifi. Each time, the freeradius server running on my Linux box denies the requests. I should mention that a 'radtest' succeeds - so I'm entering the username/passwd correctly. I'm attaching the output of the freeradius server when iPad is used. In a separate email I'll also attach the output from Windows 7 (to avoid going over the 100KB message limit in this email). Any help is appreciated. - Mohit
Here is the output with Windows 7. - Mohit On Mon, Feb 27, 2012 at 11:34 PM, Mohit Aron <extproxy@gmail.com> wrote:
Hello,
I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable to set it up so as to authenticate incoming requests from the Unix username/passwords stored in /etc/{passwd, shadow}.
Here is a description of my setup. I've setup wifi security on my wireless router to WPA-Enterprise and entered the IP address of the radius server in the router to that of a Linux machine running freeradius.
Here's a description of all the changes I made to /etc/freeradius directory to even reach the point to make it partially work: 1) chown -R freerad /etc/freeradius The above is needed as Ubuntu seems to install every file there as root and thus the freeradius server which runs as user freerad isn't able to read the configuration files.
2) Modified /etc/freeradius/clients.conf to accept requests from my router's IP address. Also added the shared key testing123 there - which is the same that was put in the router while configuring it with a radius server.
3) Changed the 'group =' setting inside /etc/freeradius/radiusd.conf to make it 'shadow' to enable it to lookup /etc/shadow.
4) Uncommmented the keyword 'unix' in both /etc/freeradius/sites-enabled/{inner-tunnel,default}
5) Modified /etc/default/freeradius to pass option '-X' to the freeradius server.
I've tried using both Windows 7 as well as an iPad as a client to connect using wifi. Each time, the freeradius server running on my Linux box denies the requests. I should mention that a 'radtest' succeeds - so I'm entering the username/passwd correctly. I'm attaching the output of the freeradius server when iPad is used. In a separate email I'll also attach the output from Windows 7 (to avoid going over the 100KB message limit in this email).
Any help is appreciated.
- Mohit
Mohit Aron wrote:
Here is the output with Windows 7.
Attaching a ".out" file isn't useful. The information is text. It should be pasted into the message. Or, attached as a ".txt" file. This is a list for free software. You are making it difficult for people to help you. Alan DeKok.
Apologies. I'm attaching it again. On Mon, Feb 27, 2012 at 11:50 PM, Alan DeKok <aland@deployingradius.com> wrote:
Mohit Aron wrote:
Here is the output with Windows 7.
Attaching a ".out" file isn't useful. The information is text. It should be pasted into the message. Or, attached as a ".txt" file.
This is a list for free software. You are making it difficult for people to help you.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/28/2012 07:54 AM, Mohit Aron wrote:
TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
You have failed to setup the required certs on the client. The client needs to have a copy of the CA signing your server cert, either the "real" cert you have, or the "test" cert generated by FreeRADIUS itself when it first starts. http://deployingradius.com/documents/configuration/certificates.html http://deployingradius.com/documents/configuration/ca_import.html Also: if you are trying to do EAP, you will NOT be able to use Unix passwords unless you are using EAP-TTLS/PAP or GTC (which are not supported in Windows), see: http://deployingradius.com/documents/protocols/compatibility.html
On Tue, Feb 28, 2012 at 2:34 PM, Mohit Aron <extproxy@gmail.com> wrote:
Hello,
I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable to set it up so as to authenticate incoming requests from the Unix username/passwords stored in /etc/{passwd, shadow}.
Here is a description of my setup. I've setup wifi security on my wireless router to WPA-Enterprise and entered the IP address of the radius server in the router to that of a Linux machine running freeradius.
Here's a description of all the changes I made to /etc/freeradius directory to even reach the point to make it partially work: 1) chown -R freerad /etc/freeradius The above is needed as Ubuntu seems to install every file there as root and thus the freeradius server which runs as user freerad isn't able to read the configuration files.
You shouldn't need to do that. The files should have freerad group ownership (at least it does last time I look on Natty), so freerad user will be able to read it. Did you test it and it didn't work, or did you THINK it wouldn't work so you do a chown manually? If it's the first, file a bug on launchpad, cause it's packaging bug. If it's the later, try with a fresh install.
I've tried using both Windows 7 as well as an iPad as a client to connect using wifi.
IIRC Windows will use EAP-PEAP-MSCHAPv2, which requires cleartext-password (or NT-Hash, or accounts stored in AD). Linux passwords in /etc/shadow is hashed (the ones I have use SHA-512), so they're not compatible. You need a third-party supplicant that can send passwords in cleartext (e.g. TTLS-PAP, EAP-PEAP-GTC). -- Fajar
You shouldn't need to do that. The files should have freerad group ownership (at least it does last time I look on Natty), so freerad user will be able to read it. Did you test it and it didn't work, or did you THINK it wouldn't work so you do a chown manually?
If it's the first, file a bug on launchpad, cause it's packaging bug. If it's the later, try with a fresh install.
They are all owned by root in Ubuntu 11.10. So it is a packaging bug. I've also tried using Ubuntu 10.04 - there it is fine. I've filed a bug already on launchpad.
You need a third-party supplicant that can send passwords in cleartext (e.g. TTLS-PAP, EAP-PEAP-GTC).
Sorry I'm new to freeradius. How can I setup this supplicant. I'd really like to use Unix passwords to authenticate and not create another setup of passwords for users. The documentation on radius is really sparse. If you can advise what all I need to just make my wifi clients authenticate using radius against the passwd file on a Linux box, that'll be super. - Mohit
On Tue, Feb 28, 2012 at 3:26 PM, Mohit Aron <extproxy@gmail.com> wrote:
You shouldn't need to do that. The files should have freerad group ownership (at least it does last time I look on Natty), so freerad user will be able to read it. Did you test it and it didn't work, or did you THINK it wouldn't work so you do a chown manually?
If it's the first, file a bug on launchpad, cause it's packaging bug. If it's the later, try with a fresh install.
They are all owned by root in Ubuntu 11.10. So it is a packaging bug. I've also tried using Ubuntu 10.04 - there it is fine. I've filed a bug already on launchpad.
Really? They messed up big time then. You can try my ppa: https://launchpad.net/~freeradius/+archive/stable It was created based on Natty's 2.1.10, updated to 2.1.12 for lucid-oneiric and hardy.
You need a third-party supplicant that can send passwords in cleartext (e.g. TTLS-PAP, EAP-PEAP-GTC).
Sorry I'm new to freeradius. How can I setup this supplicant.
At work we use odyssey, but it's not free: http://www.juniper.net/us/en/products-services/software/ipc/odyssey-access-c... wpa_suppllicant (http://hostap.epitest.fi/wpa_supplicant/) might work as well, but last time I tried it's kinda hit-and-miss.
I'd really like to use Unix passwords to authenticate and not create another setup of passwords for users. The documentation on radius is really sparse.
Did you check the wiki, http://wiki.freeradius.org/? If you think there's something that should be there but isn't, feel free to add some content.
If you can advise what all I need to just make my wifi clients authenticate using radius against the passwd file on a Linux box, that'll be super.
You can also do it the other way around: store the passwords as clear-text (nt-hash should also work, although I haven't tried), either in database (e.g. mysql) or LDAP, then use pam_radius or pam_ldap (only if you use ldap) so linux uses radius for authentication. -- Fajar
Mohit Aron wrote:
I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable to set it up so as to authenticate incoming requests from the Unix username/passwords stored in /etc/{passwd, shadow}.
You should mostly just uncomment "unix" in raddb/sites-enabled/default
Here is a description of my setup. I've setup wifi security on my wireless router to WPA-Enterprise and entered the IP address of the radius server in the router to that of a Linux machine running freeradius.
Here's a description of all the changes I made to /etc/freeradius directory to even reach the point to make it partially work: 1) chown -R freerad /etc/freeradius The above is needed as Ubuntu seems to install every file there as root and thus the freeradius server which runs as user freerad isn't able to read the configuration files.
I saw that. What a ridiculous thing for them to do.
2) Modified /etc/freeradius/clients.conf to accept requests from my router's IP address. Also added the shared key testing123 there - which is the same that was put in the router while configuring it with a radius server.
3) Changed the 'group =' setting inside /etc/freeradius/radiusd.conf to make it 'shadow' to enable it to lookup /etc/shadow.
Yes.
4) Uncommmented the keyword 'unix' in both /etc/freeradius/sites-enabled/{inner-tunnel,default}
That should work. *With* the caveat that it will only work for TTLS, not PEAP.
5) Modified /etc/default/freeradius to pass option '-X' to the freeradius server.
You don't want to do that. Just run it in debugging mode from the command-line.
I've tried using both Windows 7 as well as an iPad as a client to connect using wifi. Each time, the freeradius server running on my Linux box denies the requests. I should mention that a 'radtest' succeeds - so I'm entering the username/passwd correctly.
That doesn't test EAP, and isn't enough.
I'm attaching the output of the freeradius server when iPad is used. In a separate email I'll also attach the output from Windows 7 (to avoid going over the 100KB message limit in this email).
Which says:
TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Follow the EAP-TLS Howto. You either didn't sign the certificates correctly, or you didn't put the root CA on the client machine. Alan DeKok.
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
Mohit Aron -
Phil Mayers