Hi, Please keep replies on-list. On Thu, Mar 26, 2015 at 03:38:51PM +0000, aschappell@clearedgeit.com wrote:
What do I test the authentication with besides the local host? I am new to this radius thing. When I go to login to wifi I do not see anything in the debug output that is showing someone is logging in.
OK, so you need to make sure that your access point / wireless controllers are configured correctly and have access to your RADIUS server. You have a number of clients added in clients.conf - have you added the actual client (AP) that you are testing from? Is there a firewall in the way or iptables on the server? Start by running tcpdump on the server to make sure that the packets are actually reaching the RADIUS server. If they aren't, and there are no firewalls, then make sure your AP/wireless system is configured correctly. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Yes here is my client.conf. I am using this same password in Unifi also right? It does not matter what the passwords are as long as they are them same on both ends. client 10.0.2.207 { secret = ceadmin { ipaddr = 10.0.2.207 shortname = ClearEdge Mike's Room } client 10.0.2.205 { secret = ceadmin { ipaddr = 10.0.2.205 shortname=CleaEdge Suite 215 } client 10.0.1.149 { secret = ceadmin { ipaddr = 10.0.1.149 shortname=ClearEdge Exec Conf. Room } client 10.0.1.57 { secret = ceadmin } client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 127.0.0.1 secret = ceadmin require_message_authenticator = no nastype = other Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 11:50 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Hi,
Please keep replies on-list.
On Thu, Mar 26, 2015 at 03:38:51PM +0000, aschappell@clearedgeit.com wrote:
What do I test the authentication with besides the local host? I am new to this radius thing. When I go to login to wifi I do not see anything in the debug output that is showing someone is logging in.
OK, so you need to make sure that your access point / wireless controllers are configured correctly and have access to your RADIUS server.
You have a number of clients added in clients.conf - have you added the actual client (AP) that you are testing from?
Is there a firewall in the way or iptables on the server?
Start by running tcpdump on the server to make sure that the packets are actually reaching the RADIUS server. If they aren't, and there are no firewalls, then make sure your AP/wireless system is configured correctly.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Mar 26, 2015 at 11:59:35AM -0400, Adam Schappell wrote:
Yes here is my client.conf.
That's already in the debug output (which is why we ask for the debug output :) )
I am using this same password in Unifi also right? It does not matter what the passwords are as long as they are them same on both ends.
Correct; the secret has to match both sides. But at present you're not getting that far. Have you run tcpdump like I asked to see if the packets are reaching the server? If not, you need to sort that out before investigating the RADIUS server, as it's a more fundamental basic networking/configuration issue. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Yes so I am not getting any traffic going to radius server from the AP server, I disabled firewall and everything. Something is not right lol Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 12:08 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Mar 26, 2015 at 11:59:35AM -0400, Adam Schappell wrote:
Yes here is my client.conf.
That's already in the debug output (which is why we ask for the debug output :) )
I am using this same password in Unifi also right? It does not matter what the passwords are as long as they are them same on both ends.
Correct; the secret has to match both sides.
But at present you're not getting that far. Have you run tcpdump like I asked to see if the packets are reaching the server?
If not, you need to sort that out before investigating the RADIUS server, as it's a more fundamental basic networking/configuration issue.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Mar 26, 2015 at 12:21:19PM -0400, Adam Schappell wrote:
Yes so I am not getting any traffic going to radius server from the AP server, I disabled firewall and everything. Something is not right lol
Sounds like you need to fix that first then. Unlikely to be something anyone here can help with. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Ok I figured all that out, supposivly does not like the AP's connecting to different subnets which is not going to go over well with my DMZ. But now I am getting reject error when authenticating to wifi. Here is debug output. [peap] Got inner identity 'CORP\aschappell' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c server { [peap] Setting User-Name to CORP\aschappell Sending tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORP\\aschappell" server inner-tunnel { WARNING: Empty authorize section. Using default return values. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 54 to 10.0.1.149 port 32781 EAP-Message = 0x0118002b190017030100201647053fbeb14c32719744432002a54c459f497b2e32754269e04e1066211a2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2d6f40ac4ceed9bb2dc291e7276ac0d Finished request 55. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.1.149 port 32781, id=55, length=231 User-Name = "CORP\\aschappell" NAS-IP-Address = 10.0.1.149 NAS-Identifier = "24a43c105cfc" NAS-Port = 0 Called-Station-Id = "24-A4-3C-1B-9F-92:ClearEdgeCORP" Calling-Station-Id = "C8-BC-C8-C0-1D-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0218002b190017030100207c934f93a305a368e73e4b44d84d62b6006059b4228216bc5a70d117bf0a88e7 State = 0xc2d6f40ac4ceed9bb2dc291e7276ac0d Message-Authenticator = 0x51c3c60a40d2995b5f14141e055f0950 # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 24 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 cli C8-BC-C8-C0-1D-A7) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> CORP\aschappell attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 56 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 56 Sending Access-Reject of id 55 to 10.0.1.149 port 32781 EAP-Message = 0x04180004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 49 ID 48 with timestamp +214 Waking up in 0.4 seconds. Cleaning up request 50 ID 49 with timestamp +215 Cleaning up request 51 ID 50 with timestamp +215 Cleaning up request 52 ID 51 with timestamp +215 Cleaning up request 53 ID 52 with timestamp +215 Cleaning up request 54 ID 53 with timestamp +215 Cleaning up request 55 ID 54 with timestamp +215 Waking up in 1.0 seconds. Cleaning up request 56 ID 55 with timestamp +215 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 12:38 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Mar 26, 2015 at 12:21:19PM -0400, Adam Schappell wrote:
Yes so I am not getting any traffic going to radius server from the AP server, I disabled firewall and everything. Something is not right lol
Sounds like you need to fix that first then. Unlikely to be something anyone here can help with.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Mar 26, 2015 at 12:51:06PM -0400, Adam Schappell wrote:
Ok I figured all that out, supposivly does not like the AP's connecting to different subnets which is not going to go over well with my DMZ. But now I am getting reject error when authenticating to wifi. Here is debug output.
[peap] Got inner identity 'CORP\aschappell' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c server { [peap] Setting User-Name to CORP\aschappell Sending tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORP\\aschappell" server inner-tunnel { WARNING: Empty authorize section. Using default return values.
^^^^^^^^^^^^^^ Did you empty out the authorize {} section in sites-enabled/inner-tunnel? Is the inner-tunnel virtual server actually there (symlink in sites-enabled pointing back to sites-available)? Matthew
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 via TLS tunnel) } # server inner-tunnel
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I dont think I understand what you mean by empty it out? Here is my config it sites-enabled/inner-tunnel authorize { pap # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module, above. # # unix # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # # Note that proxying the inner tunnel authentication means # that the user MAY use one identity in the outer session # (e.g. "anonymous", and a different one here # (e.g. "user@example.com"). The inner session will then be # proxied elsewhere for authentication. If you are not # careful, this means that the user can cause you to forward # the authentication to another RADIUS server, and have the # accounting logs *not* sent to the other server. This makes # it difficult to bill people for their network activity. # suffix # ntdomain # # The "suffix" module takes care of stripping the domain # (e.g. "@example.com") from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { Proxy-To-Realm := LOCAL } # # This module takes care of EAP-MSCHAPv2 authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Read the 'users' file files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap } Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 12:58 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Mar 26, 2015 at 12:51:06PM -0400, Adam Schappell wrote:
Ok I figured all that out, supposivly does not like the AP's connecting to different subnets which is not going to go over well with my DMZ. But now I am getting reject error when authenticating to wifi. Here is debug output.
[peap] Got inner identity 'CORP\aschappell' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c server { [peap] Setting User-Name to CORP\aschappell Sending tunneled request EAP-Message = 0x0217001401434f52505c61736368617070656c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORP\\aschappell" server inner-tunnel { WARNING: Empty authorize section. Using default return values.
^^^^^^^^^^^^^^
Did you empty out the authorize {} section in sites-enabled/inner-tunnel?
Is the inner-tunnel virtual server actually there (symlink in sites-enabled pointing back to sites-available)?
Matthew
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 via TLS tunnel) } # server inner-tunnel
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Mar 26, 2015 at 01:14:51PM -0400, Adam Schappell wrote:
I dont think I understand what you mean by empty it out? Here is my config it sites-enabled/inner-tunnel
Not according to your (previous) debug output: ... } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { } # modules } # server WARNING: Server inner-tunnel is empty, and will do nothing! radiusd: #### Opening IP addresses and Ports #### listen { ... Are you editing the right file? Are file access permissions set correctly? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Server tunnel is not empty though. File access permissions are setup correctly. Im stuck guys :( I really do appreciate all your help with this. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 1:20 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Mar 26, 2015 at 01:14:51PM -0400, Adam Schappell wrote:
I dont think I understand what you mean by empty it out? Here is my config it sites-enabled/inner-tunnel
Not according to your (previous) debug output:
... } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { } # modules } # server WARNING: Server inner-tunnel is empty, and will do nothing! radiusd: #### Opening IP addresses and Ports #### listen { ...
Are you editing the right file? Are file access permissions set correctly?
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mar 26, 2015, at 12:57 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Server tunnel is not empty though.
Yes, it is. You’re looking at the wrong file.
File access permissions are setup correctly. Im stuck guys :(
*Look* at the files. Don’t assume they’re correct. Look at every single aspect of them. Odds are that raddb/sites-enabled/inner-tunnel is just an empty file, and NOT a symlink. Alan DeKok.
Alan, My inner tunnel file is not empty and has a bunch of configs in it. server inner-tunnel { ntlm_auth } # # This next section is here to allow testing of the "inner-tunnel" # authentication methods, independently from the "default" server. # It is listening on "localhost", so that it can only be used from # the same machine. # # $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 # # If it works, you have configured the inner tunnel correctly. To check # if PEAP will work, use: # # $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 # # If that works, PEAP should work. If that command doesn't work, then # # FIX THE INNER TUNNEL CONFIGURATION UNTIL IT WORKS. # # Do NOT keep testing PEAP. It won't help. # listen { ipaddr = 127.0.0.1 port = 18120 type = auth } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { pap # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module, above. # # unix # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # # Note that proxying the inner tunnel authentication means # that the user MAY use one identity in the outer session # (e.g. "anonymous", and a different one here # (e.g. "user@example.com"). The inner session will then be # proxied elsewhere for authentication. If you are not # careful, this means that the user can cause you to forward # the authentication to another RADIUS server, and have the # accounting logs *not* sent to the other server. This makes # it difficult to bill people for their network activity. # suffix # ntdomain # # The "suffix" module takes care of stripping tthe domain # (e.g. "@example.com") from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { Proxy-To-Realm := LOCAL } # # This module takes care of EAP-MSCHAPv2 authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Read the 'users' file files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user, or forcibly accept him. # authenticate { ntlm_auth # } # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap } ###################################################################### # # There are no accounting requests inside of EAP-TTLS or PEAP # tunnels. # ###################################################################### # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Note that we do NOT assign IP addresses here. # If you try to assign IP addresses for EAP authentication types, # it WILL NOT WORK. You MUST use DHCP. # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql # # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject } # # The example policy below updates the outer tunnel reply # (usually Access-Accept) with the User-Name from the inner # tunnel User-Name. Since this section is processed in the # context of the inner tunnel, "request" here means "inner # tunnel request", and "outer.reply" means "outer tunnel # reply attributes". # # This example is most useful when the outer session contains # a User-Name of "anonymous@....", or a MAC address. If it # is enabled, the NAS SHOULD use the inner tunnel User-Name # in subsequent accounting packets. This makes it easier to # track user sessions, as they will all be based on the real # name, and not on "anonymous". # # The problem with doing this is that it ALSO exposes the # real user name to any intermediate proxies. People use # "anonymous" identifiers outside of the tunnel for a very # good reason: it gives them more privacy. Setting the reply # to contain the real user name removes ALL privacy from # their session. # # If you want privacy to remain, see the # Chargeable-User-Identity attribute from RFC 4372. In order # to use that attribute, you will have to allocate a # per-session identifier for the user, and store it in a # long-term database (e.g. SQL). You should also use that # attribute INSTEAD of the configuration below. # #update outer.reply { # User-Name = "%{request:User-Name}" #} } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # attr_rewrite # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 2:11 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 26, 2015, at 12:57 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Server tunnel is not empty though.
Yes, it is. You’re looking at the wrong file.
File access permissions are setup correctly. Im stuck guys :(
*Look* at the files. Don’t assume they’re correct. Look at every single aspect of them.
Odds are that raddb/sites-enabled/inner-tunnel is just an empty file, and NOT a symlink.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 26, 2015, at 1:24 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Alan, My inner tunnel file is not empty and has a bunch of configs in it.
Then server doesn’t lie. Read the debug output again. Make sure you know which file the server is reading. And don’t post configuration files here. It’s useless and annoying. The fact that you’re having massive problem shows you’ve done something seriously wrong. The default configuration *works*. Alan DeKok.
Hello, I am getting this error when trying to authenticate with ldap. I also uncommented out the useful operations error. [ldap] performing user authorization for aschappell [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> aschappell [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aschappell) [ldap] expand: dc=corp,dc=clearedge,dc=com -> dc=corp,dc=clearedge,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] closing existing LDAP connection [ldap] (re)connect to corp.clearedgeit.com:389, authentication 0 [ldap] bind as / to corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=corp,dc=clearedge,dc=com, with filter (uid=aschappell) [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> aschappell attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 61 to 127.0.0.1 port 48367 Waking up in 4.9 seconds. Cleaning up request 5 ID 61 with timestamp +490 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Thu, Mar 26, 2015 at 3:05 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 26, 2015, at 1:24 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Alan, My inner tunnel file is not empty and has a bunch of configs in it.
Then server doesn’t lie. Read the debug output again. Make sure you know which file the server is reading.
And don’t post configuration files here. It’s useless and annoying.
The fact that you’re having massive problem shows you’ve done something seriously wrong. The default configuration *works*.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry I had to reboot after I uncommented them sections. +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> aschappell [sql] sql_set_user escaped user --> 'aschappell' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'aschappell' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'aschappell' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User aschappell not found ++[sql] returns notfound [ldap] performing user authorization for aschappell [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> aschappell [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aschappell) [ldap] expand: dc=corp,dc=clearedge,dc=com -> dc=corp,dc=clearedge,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to corp.clearedgeit.com:389, authentication 0 [ldap] bind as cn=Adam L. Schappell,ou=Domain Admins,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc=clearedge,dc=com/Schappell##113 to corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> aschappell attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 145 to 127.0.0.1 port 41581 Waking up in 4.9 seconds. Cleaning up request 5 ID 145 with timestamp +210 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Fri, Mar 27, 2015 at 1:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 27, 2015, at 12:44 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
[ldap] ldap_search() failed: Operations error
In v2, read raddb/modules/ldap. Look for “operations error”.
If that text isn’t there, upgrade to 2.2.6.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Mar 27, 2015 at 02:06:09PM -0400, Adam Schappell wrote:
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
This seems fairly clear to me. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I get that and see that but there is no ldap in radius.conf, do you all see anything wrong with my bind dn? Thanks, Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Fri, Mar 27, 2015 at 2:15 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Mar 27, 2015 at 02:06:09PM -0400, Adam Schappell wrote:
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
This seems fairly clear to me.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Mar 27, 2015 at 02:18:06PM -0400, Adam Schappell wrote:
I get that and see that but there is no ldap in radius.conf, do you all see anything wrong with my bind dn?
Ah... there is only one config file: radius.conf. This includes all the other configuration, so look in your ldap config. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
How do I get Reject when I am connecting with the same user as I did to connect LDAP??? I get bind successful so why is this not successful? rad_recv: Access-Request packet from host 10.0.1.56 port 62107, id=21, length=46 User-Name = "radius" User-Password = "ceadmin" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 67 ++[files] returns ok [sql] expand: %{User-Name} -> radius [sql] sql_set_user escaped user --> 'radius' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'radius' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'radius' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User radius not found ++[sql] returns notfound [ldap] performing user authorization for radius [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 0 [ldap] bind as cn=radius,ou=users,ou=jessup,ou=clearedge,dc=corp,dc=clearedgeit,dc=com/ceadmin to dc1.corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "radius" with password "ceadmin" [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 21 to 10.0.1.56 port 62107 Waking up in 4.9 seconds. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Fri, Mar 27, 2015 at 2:33 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Mar 27, 2015 at 02:18:06PM -0400, Adam Schappell wrote:
I get that and see that but there is no ldap in radius.conf, do you all see anything wrong with my bind dn?
Ah... there is only one config file: radius.conf. This includes all the other configuration, so look in your ldap config.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 30, 2015, at 9:19 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
How do I get Reject when I am connecting with the same user as I did to connect LDAP??? I get bind successful so why is this not successful?
I suggest reading the debug output. It explains in great detail what’s going wrong, and why. Alan DeKok.
Hey Alan, Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 9:29 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2015, at 9:19 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
How do I get Reject when I am connecting with the same user as I did to connect LDAP??? I get bind successful so why is this not successful?
I suggest reading the debug output. It explains in great detail what’s going wrong, and why.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
Clearly the LDAP query that's defined to find users (the UID) can't find your user 'radius'. Check your query... Just because you can bind with it does not mean that your query to find it (and its password) will work. Use ldapquery to *test* whether the query as listed in the debug output works. Does it? If not, tweak and fiddle with it until ldapquery works. Then port that back to your ldap configuration. Chances are that it will then work. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
there a difference between reading it and READING it. lookee here: [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound so, you could bind as the user...fine...but you've got lots of other things set in that bind (OUs) - you'll now be told by me (and others) to try the usual set of LDAP tools to ensure that you can find the user/details against LDAP with your current configured path. plenty of LDAP command line tools available but ldapsearch will be good enough alan
On Mar 30, 2015, at 9:39 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
Really? You’ve read it 10 times, and still don’t know what’s going on? If you (a) speak English, and (b) understand your LDAP schema, it should be pretty clear. [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap://DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found Do the words “not found” mean anything? The server prints out the LDAP searches it’s doing. It prints them out for a REASON. So you can READ THEM, and manually verify them against the LDAP tree. Alan DeKok.
Ok so then if I get "bind successfull" and the URL's are wrong then how can I manually change them? Or where do I change them? Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 10:52 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2015, at 9:39 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
Really? You’ve read it 10 times, and still don’t know what’s going on?
If you (a) speak English, and (b) understand your LDAP schema, it should be pretty clear.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap://
ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found
Do the words “not found” mean anything?
The server prints out the LDAP searches it’s doing. It prints them out for a REASON. So you can READ THEM, and manually verify them against the LDAP tree.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 30, 2015, at 11:06 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Ok so then if I get "bind successfull" and the URL's are wrong then how can I manually change them? Or where do I change them?
The redirects are coming from the LDAP servers. So… if the URL redirect is wrong, fix your LDAP servers to send the right redirect. This isn’t a FreeRADIUS problem. No amount of poking FreeRADIUS will fix the configuration on your LDAP servers. Alan DeKok.
Alan DeKok wrote:
On Mar 30, 2015, at 9:39 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
Really? You’ve read it 10 times, and still don’t know what’s going on?
If you (a) speak English, and (b) understand your LDAP schema, it should be pretty clear.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap://DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found
Do the words “not found” mean anything?
The server prints out the LDAP searches it’s doing. It prints them out for a REASON. So you can READ THEM, and manually verify them against the LDAP tree.
Hmm, this looks like the referrals in MS AD are automagically chased. LDAPv3 referrals are a broken concept anyway and I doubt that FreeRADIUS in particular will find any meaningful entries in the referred AD containers above. => I'd switch off referral chasing to avoid this noise in the logs. This does *not* mean that checking with LDAP client tools is not useful in general. Ciao, Michael.
Hey Michael Thank you for your informative response unlike others here! I really appreciate it. Since you seem a little more educated on this, I can successfully do a ldapsearch and everything pops up successfully. When I do a radtest "user" "password localhost 0 Password, I get access-reject, why is this if all my ldap connections are good? Where do I switch off referral chasing at? /etc/raddb/modules/ldap? Thank you! Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 11:11 AM, Michael Ströder <michael@stroeder.com> wrote:
Alan DeKok wrote:
On Mar 30, 2015, at 9:39 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
Really? You’ve read it 10 times, and still don’t know what’s going on?
If you (a) speak English, and (b) understand your LDAP schema, it should be pretty clear.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC= clearedgeit,DC=com [ldap] rebind to URL ldap://DomainDnsZones.corp.clearedgeit.com/DC= DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found
Do the words “not found” mean anything?
The server prints out the LDAP searches it’s doing. It prints them out for a REASON. So you can READ THEM, and manually verify them against the LDAP tree.
Hmm, this looks like the referrals in MS AD are automagically chased. LDAPv3 referrals are a broken concept anyway and I doubt that FreeRADIUS in particular will find any meaningful entries in the referred AD containers above.
=> I'd switch off referral chasing to avoid this noise in the logs.
This does *not* mean that checking with LDAP client tools is not useful in general.
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 30, 2015, at 11:48 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Hey Michael Thank you for your informative response unlike others here!
If you don't like the answers you get here, you can be unsubscribed and banned permanently. People here help you for free. This means that *you* must do a little bit of work, too. If it becomes clear you're unwilling to do any work, you shouldn't be asking questions on this list. And you should NOT complain that people ask you to understand the systems you're using. Alan DeKok.
Everything is working through ldap except freeradius. What am I not understanding..... Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 11:54 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2015, at 11:48 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Hey Michael Thank you for your informative response unlike others here!
If you don't like the answers you get here, you can be unsubscribed and banned permanently.
People here help you for free. This means that *you* must do a little bit of work, too. If it becomes clear you're unwilling to do any work, you shouldn't be asking questions on this list.
And you should NOT complain that people ask you to understand the systems you're using.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Schappell wrote:
I can successfully do a ldapsearch and everything pops up successfully.
Did you bind to AD's LDAP server with ldapsearch [..] -D <identity> -w <password> with the very same values used in FreeRADIUS configuration or for RADIUS login? From one of your former postings it seems that FreeRADIUS is using filter (uid=aschappell) to search for your user account. Is attribute 'uid' actually set in your AD user account? This is rather unusal. By default MS AD stores user name in attribut 'sAMAccountName'. So you'd have to change your FreeRADIUS LDAP configuration to use this attribute when generating the search filter. Well, another log of you shows: ---------------------- snip ---------------------- [ldap] bind as cn=Adam L. Schappell,ou=Domain Admins,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc=clearedge,dc=com/Schappell##113 to corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf ---------------------- snip ---------------------- It seems in this case the user entry was found but LDAP simple bind failed. You should check whether AD account got locked during your failing attempts. Ciao, Michael.
Yes I did bind with that command and everything was successful and I have the same setup in freeradius. That was an old post that you pasted and am not using them credentials anymore. This is a couple seconds ago: [ldap] performing user authorization for radius [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] ldap_search() failed: LDAP connection lost. [ldap] Attempting reconnect [ldap] attempting LDAP reconnection [ldap] closing existing LDAP connection [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 0 [ldap] bind as cn=radius,ou=users,ou=jessup,ou=clearedge,dc=corp,dc=clearedgeit,dc=com/ceadmin to dc1.corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "radius" with password "ceadmin" [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 144 to 127.0.0.1 port 44267 Waking up in 4.9 seconds. Cleaning up request 4 ID 144 with timestamp +3796 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 12:37 PM, Michael Ströder <michael@stroeder.com> wrote:
Adam Schappell wrote:
I can successfully do a ldapsearch and everything pops up successfully.
Did you bind to AD's LDAP server with ldapsearch [..] -D <identity> -w <password> with the very same values used in FreeRADIUS configuration or for RADIUS login?
From one of your former postings it seems that FreeRADIUS is using filter (uid=aschappell) to search for your user account.
Is attribute 'uid' actually set in your AD user account? This is rather unusal. By default MS AD stores user name in attribut 'sAMAccountName'. So you'd have to change your FreeRADIUS LDAP configuration to use this attribute when generating the search filter.
Well, another log of you shows:
---------------------- snip ---------------------- [ldap] bind as cn=Adam L. Schappell,ou=Domain Admins,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc= clearedge,dc=com/Schappell##113 to corp.clearedgeit.com:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf ---------------------- snip ----------------------
It seems in this case the user entry was found but LDAP simple bind failed. You should check whether AD account got locked during your failing attempts.
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Schappell wrote:
This is a couple seconds ago: [..] [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius)
[ldap] object not found
Please re-read my posting, especially about attribute 'uid' vs. 'sAMAccountName'. Check whether attribute 'uid' is set in the accounts used for testing RADIUS authentication. Ciao, Michael.
Hi,
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com
okay...thats your search query
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius)
[ldap] ldap_search() failed: LDAP connection lost.
and its failing.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius)
[ldap] object not found
[ldap] search failed
and again edit the ldap config file for your FreeRADIUS so you are using the correct LDAP path and looking for the correct object..... alan
I get its failing but I do not know what else to set it to, It is the correct path, I have tested it on different programs and systems to make sure. Some thing is not right. If it is binding successfully with the same user route and password then why the heck cant it find it????? Sorry just annoying, I have been trying to get this done for sometime now. rad_recv: Access-Request packet from host 127.0.0.1 port 33787, id=167, length=76 User-Name = "radius" User-Password = "ceadmin" NAS-IP-Address = 10.0.1.104 NAS-Port = 0 Message-Authenticator = 0xf09aaa8f36336f802d04927ccae3c245 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [sql] expand: %{User-Name} -> radius [sql] sql_set_user escaped user --> 'radius' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'radius' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'radius' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User radius not found ++[sql] returns notfound [ldap] performing user authorization for radius [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radius [ldap] expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (&(SAMAccountName=radius) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 0 [ldap] bind as cn=radius,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc=clearedgeit,dc=com/ceadmin to dc1.corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius) [ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius) [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 167 to 127.0.0.1 port 33787 Waking up in 4.9 seconds. Cleaning up request 0 ID 167 with timestamp +50 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 1:29 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com
okay...thats your search query
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius)
[ldap] ldap_search() failed: LDAP connection lost.
and its failing.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius)
[ldap] object not found
[ldap] search failed
and again
edit the ldap config file for your FreeRADIUS so you are using the correct LDAP path and looking for the correct object.....
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 30, 2015, at 2:44 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
I get its failing but I do not know what else to set it to, It is the correct path, I have tested it on different programs and systems to make sure. Some thing is not right. If it is binding successfully with the same user route and password then why the heck cant it find it????? Sorry just annoying, I have been trying to get this done for sometime now.
The point is you're not even bothering to read the messages you post here.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius)
[ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius)
Whatever could that mean? Will you: a) start paying attention, and get help or b) rely on everyone else to do your thinking for you, and get ignored? Alan DeKok.
Ok i fixed that, I posted that and realized I shouldnt have posted that. I am not "not" paying attention. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 2:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2015, at 2:44 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
I get its failing but I do not know what else to set it to, It is the correct path, I have tested it on different programs and systems to make sure. Some thing is not right. If it is binding successfully with the same user route and password then why the heck cant it find it????? Sorry just annoying, I have been trying to get this done for sometime now.
The point is you're not even bothering to read the messages you post here.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius)
[ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius)
Whatever could that mean?
Will you:
a) start paying attention, and get help
or
b) rely on everyone else to do your thinking for you, and get ignored?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I get its failing but I do not know what else to set it to, It is the
read the error. deduce the issue
[ldap] expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (&(SAMAccountName=radius) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
thats wehat came out of the expansion of your current config
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius)
[ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius)
and thats the result
[ldap] search failed
which means that happens the binding and the searching are 2 different things. you had 'working' but failing search with uid - you've now just got a broken search I'd just hazard a guess that you should be using eg (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}) note how upper and lower case have been chosen. alan
Thanks for everyones help. I dont know what exactly I did but I got access accept.. Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "radius" with password "test" [ldap] user DN: CN=rtest,OU=Users,OU=Jetestp,OU=ClearEdge,DC=corp,DC=test,DC=com [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 1 [ldap] bind as CN=rtests,OU=Users,OU=test,OU=ClearEdge,DC=corp,DC=testeit,DC=com/test to dc1.corp.clearedgeit.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user radius authenticated succesfully ++[ldap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 135 to 127.0.0.1 port 48249 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 135 with timestamp +8 Ready to process requests. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 3:23 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I get its failing but I do not know what else to set it to, It is the
read the error. deduce the issue
[ldap] expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (&(SAMAccountName=radius) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
thats wehat came out of the expansion of your current config
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius)
[ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius)
and thats the result
[ldap] search failed
which means that happens
the binding and the searching are 2 different things. you had 'working' but failing search with uid - you've now just got a broken search
I'd just hazard a guess that you should be using eg (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name})
note how upper and lower case have been chosen.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok I am almost done with all the questions... Now when I go to login to wifi I am able to download cert and everything but I get an authentication failure. I have read most of it and am a little confused. Just wondering if any one had better insight on this. # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02b0004a1a02b00045315bc9cd734ccc2fe9d6828b890731a36500000000000000005095b99f78e93a0cbf7b644f020752b0d8ea2f460ece269100434f52505c61736368617070656c6c server { [peap] Setting User-Name to CORP\aschappell Sending tunneled request EAP-Message = 0x02b0004a1a02b00045315bc9cd734ccc2fe9d6828b890731a36500000000000000005095b99f78e93a0cbf7b644f020752b0d8ea2f460ece269100434f52505c61736368617070656c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORP\\aschappell" State = 0x56c64cb95676560312b36f089a4e917a server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 176 length 74 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> CORP\aschappell [sql] sql_set_user escaped user --> 'CORP\aschappell' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'CORP=5Caschappell' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'CORP=5Caschappell' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User CORP\aschappell not found ++[sql] returns notfound [ldap] performing user authorization for CORP\aschappell [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> CORP\5caschappell [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=CORP\5caschappell) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (sAMAccountName=CORP\5caschappell) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Creating challenge hash with username: CORP\aschappell [mschap] Told to do MS-CHAPv2 for CORP\aschappell with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\260E=691 R=1" EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\260E=691 R=1" EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 126 to 10.0.1.149 port 32776 EAP-Message = 0x01b1002b190017030100209af0407cf44f78b901232ee0fa6c447f520423a19f0fa21733930383a8d19585 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdfd6c0e5d767d92d9b96730baefb4877 Finished request 29. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 10.0.1.149 port 32776, id=127, length=231 User-Name = "CORP\\aschappell" NAS-IP-Address = 10.0.1.149 NAS-Identifier = "24a43c105cfc" NAS-Port = 0 Called-Station-Id = "24-A4-3C-1B-9F-92:ClearEdgeCORP" Calling-Station-Id = "C8-BC-C8-C0-1D-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b1002b1900170301002062c0e9553e6ba5810b4c114546a334c660bc79916f7276b819b2d01a9fe7faab State = 0xdfd6c0e5d767d92d9b96730baefb4877 Message-Authenticator = 0x8de5a0f2aaede3f1ef08eecdd9bad205 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 177 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> CORP\aschappell attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 30 for 1 seconds Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 3:33 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for everyones help. I dont know what exactly I did but I got access accept..
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "radius" with password "test"
[ldap] user DN: CN=rtest,OU=Users,OU=Jetestp,OU=ClearEdge,DC=corp,DC=test,DC=com
[ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 1
[ldap] bind as CN=rtests,OU=Users,OU=test,OU=ClearEdge,DC=corp,DC=testeit,DC=com/test to dc1.corp.clearedgeit.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user radius authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 135 to 127.0.0.1 port 48249
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 135 with timestamp +8
Ready to process requests.
Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/>
On Mon, Mar 30, 2015 at 3:23 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I get its failing but I do not know what else to set it to, It is the
read the error. deduce the issue
[ldap] expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (&(SAMAccountName=radius) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
thats wehat came out of the expansion of your current config
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius)
[ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius)
and thats the result
[ldap] search failed
which means that happens
the binding and the searching are 2 different things. you had 'working' but failing search with uid - you've now just got a broken search
I'd just hazard a guess that you should be using eg (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name})
note how upper and lower case have been chosen.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Ok I am almost done with all the questions... Now when I go to login to wifi I am able to download cert and everything but I get an authentication failure. I have read most of it and am a little confused. Just wondering if any one had better insight on this.
look, I take it that you are new to FreeRADIUS - but surely you have read the output that you've posted to this list...and seen what it is that is different to the request now using EAP compared to when you were testing with radtest....
[peap] Setting User-Name to CORP\aschappell
look - CORP/aschappell is what was sent through from your client, through the NAS to your RADIUS server
User-Name = "CORP\\aschappell"
see...part of the RADIUS datagram
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
EAP is working okay...you got into the inner-tunnel
[ldap] performing user authorization for CORP\aschappell
[ldap] expand: %{Stripped-User-Name} ->
stripped-user-name is blank because the user-name didnt match any of your prefix or suffix rules...so its kept the same.
[ldap] object not found
[ldap] search failed
..and unlike your plain test, this fails now. ...and because this fails, everything else fails as theres no password to use for the authentication modules. so, if you want to deal with this, you either need to handle that prefix OR you need to strip it - by either defining it in proxy.conf or enabling the ntdomain module which will deal with it. the domain is coming from your windows client...ist the sort of things they do (alternatively, configure the windows client to NOT log in using windows username/password(!) ) but I'll stop you at this point.... you appear to be going down the route of trying to use AD with PEAP - using the LDAP module.... and I'm afraid you wont get much further. you need to use the mschap module with ntlm_auth to do the required authentication, AUTHORISATION is okay with LDAP using MS AD but authentication = no. alan
Does anyone have a front end interface they like to use? Daloradius does not seem to support LDAP/AD when showing users connected to AP's. Thanks Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 4:57 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Ok I am almost done with all the questions... Now when I go to login to wifi I am able to download cert and everything but I get an authentication failure. I have read most of it and am a little confused. Just wondering if any one had better insight on this.
look, I take it that you are new to FreeRADIUS - but surely you have read the output that you've posted to this list...and seen what it is that is different to the request now using EAP compared to when you were testing with radtest....
[peap] Setting User-Name to CORP\aschappell
look - CORP/aschappell is what was sent through from your client, through the NAS to your RADIUS server
User-Name = "CORP\\aschappell"
see...part of the RADIUS datagram
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
EAP is working okay...you got into the inner-tunnel
[ldap] performing user authorization for CORP\aschappell
[ldap] expand: %{Stripped-User-Name} ->
stripped-user-name is blank because the user-name didnt match any of your prefix or suffix rules...so its kept the same.
[ldap] object not found
[ldap] search failed
..and unlike your plain test, this fails now.
...and because this fails, everything else fails as theres no password to use for the authentication modules.
so, if you want to deal with this, you either need to handle that prefix OR you need to strip it - by either defining it in proxy.conf or enabling the ntdomain module which will deal with it. the domain is coming from your windows client...ist the sort of things they do (alternatively, configure the windows client to NOT log in using windows username/password(!) )
but I'll stop you at this point.... you appear to be going down the route of trying to use AD with PEAP - using the LDAP module.... and I'm afraid you wont get much further. you need to use the mschap module with ntlm_auth to do the required authentication, AUTHORISATION is okay with LDAP using MS AD but authentication = no.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Mar 31, 2015 at 09:47:04AM -0400, Adam Schappell wrote:
Does anyone have a front end interface they like to use? Daloradius does not seem to support LDAP/AD when showing users connected to AP's.
For viewing RADIUS logs? elasticsearch. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Adam Schappell wrote:
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
What mech do you want to use in the inner channel (within EAP-TTLS)? Since my OpenLDAP server only has hashed passwords I'm using PAP with Auth-Type LDAP inside EAP-TTLS. pap seems not to be configured in your inner-tunnel. Your mileage may vary.
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=CORP\5caschappell)
[ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (sAMAccountName=CORP\5caschappell)
[ldap] object not found
Why the hell did you enter the user name with NETBIOS domain prefix? FreeRADIUS is *not* a typical Windows component using the Windows-CrackNames-API. So just enter "aschappell" (without the quotes) as user name. Sorry, you should try to read more of the numerous public how-tos describing how to attach FreeRADIUS to MS AD and analyze which mechs are used. (I'm also rather a FreeRADIUS beginner and I read many of those how-tos recently.) Ciao, Michael.
Holy smokes! I got it working! Thank you everyone for your help and dealing with my annoyingness. I integrated the ntlm_auth this morning and got everything working with the Ubiquiti AP's. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 5:40 PM, Michael Ströder <michael@stroeder.com> wrote:
Adam Schappell wrote:
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
What mech do you want to use in the inner channel (within EAP-TTLS)?
Since my OpenLDAP server only has hashed passwords I'm using PAP with Auth-Type LDAP inside EAP-TTLS. pap seems not to be configured in your inner-tunnel.
Your mileage may vary.
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=CORP\5caschappell)
[ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (sAMAccountName=CORP\5caschappell)
[ldap] object not found
Why the hell did you enter the user name with NETBIOS domain prefix?
FreeRADIUS is *not* a typical Windows component using the Windows-CrackNames-API. So just enter "aschappell" (without the quotes) as user name.
Sorry, you should try to read more of the numerous public how-tos describing how to attach FreeRADIUS to MS AD and analyze which mechs are used.
(I'm also rather a FreeRADIUS beginner and I read many of those how-tos recently.)
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also no the attribute in AD under UNIX Attributes is not set. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 12:37 PM, Michael Ströder <michael@stroeder.com> wrote:
Adam Schappell wrote:
I can successfully do a ldapsearch and everything pops up successfully.
Did you bind to AD's LDAP server with ldapsearch [..] -D <identity> -w <password> with the very same values used in FreeRADIUS configuration or for RADIUS login?
From one of your former postings it seems that FreeRADIUS is using filter (uid=aschappell) to search for your user account.
Is attribute 'uid' actually set in your AD user account? This is rather unusal. By default MS AD stores user name in attribut 'sAMAccountName'. So you'd have to change your FreeRADIUS LDAP configuration to use this attribute when generating the search filter.
Well, another log of you shows:
---------------------- snip ---------------------- [ldap] bind as cn=Adam L. Schappell,ou=Domain Admins,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc= clearedge,dc=com/Schappell##113 to corp.clearedgeit.com:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf ---------------------- snip ----------------------
It seems in this case the user entry was found but LDAP simple bind failed. You should check whether AD account got locked during your failing attempts.
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry yes sAMAccountName is radius for user so it seems everything in AD is correct Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 12:37 PM, Michael Ströder <michael@stroeder.com> wrote:
Adam Schappell wrote:
I can successfully do a ldapsearch and everything pops up successfully.
Did you bind to AD's LDAP server with ldapsearch [..] -D <identity> -w <password> with the very same values used in FreeRADIUS configuration or for RADIUS login?
From one of your former postings it seems that FreeRADIUS is using filter (uid=aschappell) to search for your user account.
Is attribute 'uid' actually set in your AD user account? This is rather unusal. By default MS AD stores user name in attribut 'sAMAccountName'. So you'd have to change your FreeRADIUS LDAP configuration to use this attribute when generating the search filter.
Well, another log of you shows:
---------------------- snip ---------------------- [ldap] bind as cn=Adam L. Schappell,ou=Domain Admins,ou=Users,ou=Jessup,ou=ClearEdge,dc=corp,dc= clearedge,dc=com/Schappell##113 to corp.clearedgeit.com:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf ---------------------- snip ----------------------
It seems in this case the user entry was found but LDAP simple bind failed. You should check whether AD account got locked during your failing attempts.
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nevermind I just found chading_refferal and turned to no. Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 11:11 AM, Michael Ströder <michael@stroeder.com> wrote:
Alan DeKok wrote:
On Mar 30, 2015, at 9:39 AM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for the suggestion, since I havent read it already 10 times. Thanks for a little insight tho, appreciate it.
Really? You’ve read it 10 times, and still don’t know what’s going on?
If you (a) speak English, and (b) understand your LDAP schema, it should be pretty clear.
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (uid=radius) [ldap] rebind to URL ldap:// ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC= clearedgeit,DC=com [ldap] rebind to URL ldap://DomainDnsZones.corp.clearedgeit.com/DC= DomainDnsZones,DC=corp,DC=clearedgeit,DC=com [ldap] rebind to URL ldap:// corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com [ldap] object not found
Do the words “not found” mean anything?
The server prints out the LDAP searches it’s doing. It prints them out for a REASON. So you can READ THEM, and manually verify them against the LDAP tree.
Hmm, this looks like the referrals in MS AD are automagically chased. LDAPv3 referrals are a broken concept anyway and I doubt that FreeRADIUS in particular will find any meaningful entries in the referred AD containers above.
=> I'd switch off referral chasing to avoid this noise in the logs.
This does *not* mean that checking with LDAP client tools is not useful in general.
Ciao, Michael.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
Did you read the debug output? If so, did you follow the suggestion? ============================================================== Please consider the environment before printing this email. If you have received this message in error, please notify the sender and immediately delete this message and any attachment hereto and/or copy hereof, as such message contains confidential information intended solely for the individual or entity to whom it is addressed. The use or disclosure of such information to third parties is prohibited by law and may give rise to civil or criminal liability. The views presented in this message are solely those of the author(s) and do not necessarily represent the opinion of Iberdrola USA Networks, Inc. or any company of its group. Neither Iberdrola USA Networks, Inc. nor any company of its group guarantees the integrity, security or proper receipt of this message. Likewise, neither Iberdrola USA Networks, Inc. nor any company of its group accepts any liability whatsoever for any possible damages arising from, or in connection with, data interception, software viruses or manipulation by third parties. ==============================================================
On Thu, Mar 26, 2015 at 02:24:04PM -0400, Adam Schappell wrote:
Alan, My inner tunnel file is not empty and has a bunch of configs in it.
server inner-tunnel {
ntlm_auth
}
^^^^^^^^^^^ er, really? If that's the top of that file, it's totally broken. You shouldn't have ntlm_auth or a closing } there. Look at the default inner-tunnel config file, and compare to what you've got. Then fix your version. Or, better, replace with the default contents of that file and edit if required. As Alan said, the default configuration does work. To get basic wireless auth working it's unlikely you need to touch inner-tunnel at all. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
Alan, My inner tunnel file is not empty and has a bunch of configs in it.
which file is this? give the full path....and check its the same file that gets printed out with 'radiusd -X' when its loading the configuration files the other usual suspect is you've left another file around in the sites-enabled directory...that will get read in during server startup too...and if it has a "server inner-tunnel" section then that might be the one winning the config race alan
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Adam Schappell -
Alan DeKok -
Garber, Neal -
Matthew Newton -
Michael Ströder -
Stefan Paetow