Need help with 802.1X authentication to Active Directory
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Here is the output of RADIUSD -X [root@cl-radius ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. http://www.nabble.com/file/p11131716/radius-auth.doc radius-auth.doc -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas?
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
...followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi,
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas?
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
...followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Have you read the bit of eap.conf titled: !!!!! WARNINGS for Windows compatibility !!!!! just above the peap module? Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Alan,
My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working.
I uploaded a doc with the output of the debug on the first message.
http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc
Bryant
Hi,
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas?
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
....followed by silence. nothing there. no attempts to talk RADIUS ever seen.
looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through
/sbin/iptables -L -n
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, Well in my EAP.Conf file, I have in the eap module a default_eap_type = peap and in my peap module the default_eap_type = mschapv2 Is that correct? tnt wrote:
Have you read the bit of eap.conf titled:
!!!!! WARNINGS for Windows compatibility !!!!!
just above the peap module?
Ivan Kalik Kalik Informatika ISP
Dana 15/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Alan,
My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working.
I uploaded a doc with the output of the debug on the first message.
http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc
Bryant
Hi,
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas?
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
....followed by silence. nothing there. no attempts to talk RADIUS ever
seen.
looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through
/sbin/iptables -L -n
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context:
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo...
Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
No. I mean this: # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. What you have posted is just a snip of the whole conversation. If it is the end of it then this is most likely your problem. But to be sure you need to post the whole thing. Ivan Kalik Kalik Infprmatika ISP Dana 15/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Ivan,
Well in my EAP.Conf file, I have in the eap module a default_eap_type = peap and in my peap module the default_eap_type = mschapv2
Is that correct?
tnt wrote:
Have you read the bit of eap.conf titled:
!!!!! WARNINGS for Windows compatibility !!!!!
just above the peap module?
Ivan Kalik Kalik Informatika ISP
Dana 15/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piĹĄe:
Hi Alan,
My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working.
I uploaded a doc with the output of the debug on the first message.
http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc
Bryant
Hi,
I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas?
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
....followed by silence. nothing there. no attempts to talk RADIUS ever
seen.
looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through
/sbin/iptables -L -n
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context:
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo...
Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, Here is the output of the RADIUSD -X [root@cl-radius ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=165, length=181 User-Name = "host/sqlwebdev.corp.cookielee.com" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202002601686f73742f73716c7765626465762e636f72702e636f6f6b69656c65652e636f6d Message-Authenticator = 0x6c001337c02e78516e0e2aa23aa551ef NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "host/sqlwebdev.corp.cookielee.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "host/sqlwebdev.corp.cookielee.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 165 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x586ce0d49898e2796b78e79ec0b2fef3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=165, length=181 Sending duplicate reply to client 10.10.2.174:21645 - ID: 165 Re-sending Access-Challenge of id 165 to 10.10.2.174 port 21645 --- Walking the entire request list --- Cleaning up request 0 ID 165 with timestamp 46782ad7 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=166, length=181 User-Name = "host/sqlwebdev.corp.cookielee.com" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202002601686f73742f73716c7765626465762e636f72702e636f6f6b69656c65652e636f6d Message-Authenticator = 0x57923ccc37781e9907512c6f43cef272 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "host/sqlwebdev.corp.cookielee.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: No '\' in User-Name = "host/sqlwebdev.corp.cookielee.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 166 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c1edda1e285bd67cd9e264d2c2a43d2 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=166, length=181 Sending duplicate reply to client 10.10.2.174:21645 - ID: 166 Re-sending Access-Challenge of id 166 to 10.10.2.174 port 21645 --- Walking the entire request list --- Cleaning up request 1 ID 166 with timestamp 46782b20 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=166, length=181 User-Name = "host/sqlwebdev.corp.cookielee.com" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202002601686f73742f73716c7765626465762e636f72702e636f6f6b69656c65652e636f6d Message-Authenticator = 0x57923ccc37781e9907512c6f43cef272 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "host/sqlwebdev.corp.cookielee.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: No '\' in User-Name = "host/sqlwebdev.corp.cookielee.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 166 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6aea15319877954c01899ceb8f35cd5d Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=166, length=181 Sending duplicate reply to client 10.10.2.174:21645 - ID: 166 Re-sending Access-Challenge of id 166 to 10.10.2.174 port 21645 --- Walking the entire request list --- Cleaning up request 2 ID 166 with timestamp 46782b2b Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=167, length=137 User-Name = "CORP\\bugman" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0x38e2f68ebda0a5f0f55f94b1fe3ad839 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "CORP\bugman", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_realm: Looking up realm "CORP" for User-Name = "CORP\bugman" rlm_realm: No such realm "CORP" modcall[authorize]: module "ntdomain" returns noop for request 3 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 167 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ae9293037f9137daaaf1f4b61cc0f5 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=167, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 167 Re-sending Access-Challenge of id 167 to 10.10.2.174 port 21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 167 with timestamp 46782ba6 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=167, length=137 User-Name = "CORP\\bugman" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0x38e2f68ebda0a5f0f55f94b1fe3ad839 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "CORP\bugman", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_realm: Looking up realm "CORP" for User-Name = "CORP\bugman" rlm_realm: No such realm "CORP" modcall[authorize]: module "ntdomain" returns noop for request 4 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 167 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa270cc6b99660c3c2cae5de5fdbfda61 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=167, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 167 Re-sending Access-Challenge of id 167 to 10.10.2.174 port 21645 --- Walking the entire request list --- Cleaning up request 4 ID 167 with timestamp 46782bb0 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 User-Name = "CORP\\bugman" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "CORP\bugman", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: Looking up realm "CORP" for User-Name = "CORP\bugman" rlm_realm: No such realm "CORP" modcall[authorize]: module "ntdomain" returns noop for request 5 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 168 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x77b7e7cdda3989a1b128b7d5334311c2 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 168 Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 168 with timestamp 46782bf8 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 User-Name = "CORP\\bugman" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "CORP\bugman", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: Looking up realm "CORP" for User-Name = "CORP\bugman" rlm_realm: No such realm "CORP" modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 168 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b41a15d99600d47f03b461bf870cbb6 Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 168 Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 168 with timestamp 46782c03 Nothing to do. Sleeping until we see a request. No. I mean this: # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. What you have posted is just a snip of the whole conversation. If it is the end of it then this is most likely your problem. But to be sure you need to post the whole thing. Ivan Kalik Kalik Infprmatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I spent most of the day getting dialup_admin to work, and I did get it to work. Not being an mysql expert, I have to say what a blessing Webmin turned out to be on the project. It sure was nice to be able to easily use Webmin to look at data in the database table. Everything is working but I have one question. When I add a user through dialup_admin, it puts the password in the table looking like this: $1$Mi0n6YpW$MURqBnAYJLQphvEbk7pRm1. I can go into webmin and change that to a clear text password and NtRadPing will send a Access-Accept reply. If I leave it the way it is, it is rejected because the passwords do not match. What do I need to do to either get freeradius to take the encrypted password, or make dialup_admin put the password in the clear. I assume the first one is the best way of doing things, but whatever you guys think is best. I would probably try to figure some of this out on my own, but its after 5:00 now and I'm going to be out of the office for the next two days, so I thought I would just ask on here so I could be thinking about any replies for the next two days, and maybe fix it first thing Friday morning. The good thing is, if I keep this up, I will be able to help answer questions on here instead of just asking them. :) Thanks, Jay Banks
rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 User-Name = "CORP\\bugman" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0F-34-A8-FB-0A" Calling-Station-Id = "00-14-38-A7-F4-2B" EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "CORP\bugman", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: Looking up realm "CORP" for User-Name = "CORP\bugman" rlm_realm: No such realm "CORP" modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 168 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b41a15d99600d47f03b461bf870cbb6 Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 168 Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 168 with timestamp 46782c03 Nothing to do. Sleeping until we see a request.
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP Hi Ivan, Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying. The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA Are the scripts designed to create the client certificate for Windows 2003? Thanks, Bryant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client?
Ivan Kalik Kalik Informatika ISP
Hi Ivan,
Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying.
The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA
Are the scripts designed to create the client certificate for Windows 2003?
Thanks, Bryant
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Ivan,
Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store.
I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true?
Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts
Thanks, Bryant.
Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
Ivan Kalik Kalik Informatika ISP
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, There are Event log errors in Application and System. Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: "The specified user does not exist." Event ID 5719 - The system cannot log you on now because the domain "name" is not available." This would be expected because port security is preventing traffic. Since DOT1X is enabled on the Cisco switch port for the server, I need to authenticate against the RADIUS server which is sending credentials to my AD domain controller. Both the server and the radius server are on the same switch, so there are no firewall issues. The switch is an access switch uplinked to the core switch where the DC is located. All servers are in the same VLAN. I cannot decipher the meaning of the debug negotiations that are happening, but it looks like to me that there is some kind of default in the users file for 255.255.255.254 that is not the IP address of the server in question. Again, my question is if I need a USERS files, because I was reading that this file is not required for AD. Here is my USERS file. http://www.nabble.com/file/p11222403/users users Thanks, Bryant. tnt wrote:
OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem.
Ivan Kalik Kalik Informatika ISP
Dana 20/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Ivan,
Sorry I forgot to mention that I did import the cert-clt.p12 and
cacert.pem
to the local machine certificate store.
I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true?
Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts
Thanks, Bryant.
Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
Ivan Kalik Kalik Informatika ISP
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in "Trusted Root" and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Ivan,
There are Event log errors in Application and System.
Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: "The specified user does not exist."
Event ID 5719 - The system cannot log you on now because the domain "name" is not available."
This would be expected because port security is preventing traffic. Since DOT1X is enabled on the Cisco switch port for the server, I need to authenticate against the RADIUS server which is sending credentials to my AD domain controller. Both the server and the radius server are on the same switch, so there are no firewall issues. The switch is an access switch uplinked to the core switch where the DC is located. All servers are in the same VLAN.
I cannot decipher the meaning of the debug negotiations that are happening, but it looks like to me that there is some kind of default in the users file for 255.255.255.254 that is not the IP address of the server in question. Again, my question is if I need a USERS files, because I was reading that this file is not required for AD.
Here is my USERS file.
http://www.nabble.com/file/p11222403/users users
Thanks, Bryant.
tnt wrote:
OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem.
Ivan Kalik Kalik Informatika ISP
Dana 20/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piĹĄe:
Hi Ivan,
Sorry I forgot to mention that I did import the cert-clt.p12 and
cacert.pem
to the local machine certificate store.
I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true?
Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts
Thanks, Bryant.
Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
Ivan Kalik Kalik Informatika ISP
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in the trusted root certificates. I was looking at another document that was putting chmod 0444 on the cert-clt.p12 and chmod 0400 on the cacert.pem. Then, chown to radius:users on both. Is that necessary? Thanks, Bryant. You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in "Trusted Root" and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I can't see the fault with the server or the client (certificates are there, wired 802.1x supplicant is enabled by default and set to do EAP-TLS with certificate from local store by default). Only place left to look is NAS. Can you enable debug radius and see what does the log show? Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in the trusted root certificates.
I was looking at another document that was putting chmod 0444 on the cert-clt.p12 and chmod 0400 on the cacert.pem. Then, chown to radius:users on both. Is that necessary?
Thanks, Bryant.
You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in "Trusted Root" and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration.
Ivan Kalik Kalik Informatika ISP
-- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Uploaded it where? Debug output in your first message is just server startup. It hasn't recieved any packets. Check where is your NAS sending those requests. Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Alan,
My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working.
I uploaded a doc with the output of the debug on the first message.
Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the doc with the debug output at bottom. Bryant. tnt wrote:
Uploaded it where? Debug output in your first message is just server startup. It hasn't recieved any packets. Check where is your NAS sending those requests.
Ivan Kalik Kalik Informatika ISP
Dana 15/6/2007, "Bryant Marsh" <bryantmarsh@cookielee.com> piše:
Hi Alan,
My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working.
I uploaded a doc with the output of the debug on the first message.
Bryant -- View this message in context:
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo...
Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://www.nabble.com/file/p11144421/radius-auth.doc radius-auth.doc -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directo... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates.
The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas?
if you have copied the certs to the windows system as per the instructions and available help guides etc and you see the authentication attempts made (sorry, you only posted the main start of radiusd -X and a small snip of the debug output - we need to see it all - yes, ALL 550 odd lines of 'garbage') and you are not seeing ANY attempt being made to hit the ntlm_auth line, then the certs have not been correctly generated. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Bryant Marsh -
Jay Banks -
tnt@kalik.co.yu