EAP-session did no finish! (Linux)
Hi. I'm having a hard time migrating FR from one server to another. It worked perfectly on the former and I was able to make an EAP-PEAP-MSCHAPV2 auth from both Linux and Windows. Now I'm stuck with this known error: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! while trying to authenticate from Windows *and Linux*. I can't find the problem, since the configuration is almost identical to the working one. I would appreciate any indication about the issue. Thank you in advance. freeradius -XC > http://pastebin.com/p6FKumjm -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax: +34 - 94 413 91 01
Alberto Martínez wrote:
Now I'm stuck with this known error: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Well... that message is pretty clear.
while trying to authenticate from Windows *and Linux*. I can't find the problem, since the configuration is almost identical to the working one.
*ALMOST* ??? Perhaps that difference is causing the problem. It would seem to be a reasonable (and rational) assumption. Alan DeKok.
Hello Alan. "Almost" means the difference between passwords, directories and such. I suspected of the certificate and worked on it, but the error is still there. .... [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation << It should be a start, since it's the first message to arrive ++[eap] returns updated . . . Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 80 to 192.168.250.250 port 38895 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6f3ad5846f38cc2e96bfe99ed117c159 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.250.250 port 38895, id=80, length=264 Sending duplicate reply to client eduroam port 38895 - ID: 80 Sending Access-Challenge of id 80 to 192.168.250.250 port 38895 Waking up in 1.0 seconds. Cleaning up request 0 ID 80 with timestamp +11 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x6f3ad5846f38cc2e did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. So it never establishes an EAP-TLS to begin with. CA & certificates script: http://pastebin.com/tP1cH2Zx 2012/1/17 Alan DeKok <aland@deployingradius.com>
Alberto Martínez wrote:
Now I'm stuck with this known error: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xcb306879cb32715a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Well... that message is pretty clear.
while trying to authenticate from Windows *and Linux*. I can't find the problem, since the configuration is almost identical to the working one.
*ALMOST* ???
Perhaps that difference is causing the problem.
It would seem to be a reasonable (and rational) assumption.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax: +34 - 94 413 91 01
Alberto Martínez wrote:
"Almost" means the difference between passwords, directories and such. I suspected of the certificate and worked on it, but the error is still there.
The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. Alan DeKok.
On 17/01/12 11:11, Alberto Martínez wrote:
Hello Alan.
"Almost" means the difference between passwords, directories and such. I suspected of the certificate and worked on it, but the error is still there.
It's probably the cert. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween.
.... [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation << It should be a start, since it's the first message to arrive
No. That's not really true. Ignore that debug message.
The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions.
That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other.
Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work.
I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert.
I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the
client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it.
Maybe, but the only change made was the address where to point at. However, i should check that too.
One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish).
Framed-MTU = 1100 << from debug fragment_size = 1024 << eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the
client actually receives the EAP packet, and sends a reply. Likewise the AP/switch.
Also check any firewalls inbetween.
Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax: +34 - 94 413 91 01
Are we still having problems with this 'never ending' issue? Sending you Alberto another email .... Date: Tue, 17 Jan 2012 13:18:57 +0100 Subject: Re: EAP-session did no finish! (Linux) From: alberto_martinez@deusto.es To: freeradius-users@lists.freeradius.org The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions. That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other. Try setting up the second server as a brand new server with brand new certificates. Follow the *documented* process of setting up a new server with EAP-TLS / PEAP. It *will* work. I have no heavy modifications of the original configuration, just the minimum required for eap-peap-mschapv2 to work. Which has been copied from a working server. It's probably the cert. I suspected that, but I'm making no progress with it, and I've ended with the process pretty much automated. I will continue doing tests, but i felt i was missing something else. If it's NOT the cert, then you need to investigate the AP/switch or the client; FreeRADIUS is not receiving the next packet, so either the client or the AP/switch has dropped / ignored it. Maybe, but the only change made was the address where to point at. However, i should check that too. One thing to check is MTU; you've trimmed the debug so it's hard to know, but usually the next EAP packet would be large(-ish). Framed-MTU = 1100 << from debug fragment_size = 1024 << eap.conf (default setting) Also check the client - look in the logs, or use tcpdump to check the client actually receives the EAP packet, and sends a reply. Likewise the AP/switch. Also check any firewalls inbetween. Yes, it shows a conversation, so no dropped packets inbetween. -- Alberto Martínez Setién Servicio InformáticoUniversidad de DeustoAvda. de las Universidades, 24 48007 - Bilbao (SPAIN)Phone: +34 - 94 413 90 00 Ext 2684Fax: +34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Jan 17, 2012 at 7:18 PM, Alberto Martínez <alberto_martinez@deusto.es> wrote:
The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions.
That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other.
So just to confirm, you're using the SAME server certificate on BOTH server, which you generate manually, and NOT using the one automatically-created when you install the package (e.g. rpm, deb), right? -- Fajar
Of course not. Give me some credit. BUT, in case I did, the debug would show an ugly TLS error instead of an error referencing a whole other issue. Thanks for your replies anyway. 2012/1/17 Fajar A. Nugraha <list@fajar.net>
On Tue, Jan 17, 2012 at 7:18 PM, Alberto Martínez <alberto_martinez@deusto.es> wrote:
The problem is ALWAYS the same. The Wiki page describes the problems, and the solutions.
That particular error is known to pop out when a Windows client uses a misconfigured certificate, or the MTU is too high. This case is neither one nor the other.
So just to confirm, you're using the SAME server certificate on BOTH server, which you generate manually, and NOT using the one automatically-created when you install the package (e.g. rpm, deb), right?
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax: +34 - 94 413 91 01
Well, I don't know, since the cert issued for the troubled server is correct. I've just purged FR, reinstalled, issued new certs, and I'm getting the same error while trying to authenticate from Linux. Now I'll post the whole debug: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 19 2011 at 15:42:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm deusto.es { authhost = LOCAL accthost = LOCAL } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.250.250 { require_message_authenticator = no secret = "testing123" shortname = "eduroam-test" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name}} --domain DEUSTO --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "altair.deusto.es" port = 389 password = "***edited***" identity = "***edited***" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=deusto,dc=es" filter = "(UserPrincipalName=%{User-Name})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x91f4a30 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/eduroam-certs" pem_file_type = yes private_key_file = "/etc/freeradius/eduroam-certs/server.key" certificate_file = "/etc/freeradius/eduroam-certs/server.pem" CA_file = "/etc/freeradius/eduroam-certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/eduroam-certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/eduroam-certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.250.250 port 38895, id=105, length=264 User-Name = "almartin@deusto.es" NAS-IP-Address = 192.168.250.250 NAS-Port = 1 NAS-Identifier = "OAW-6000-DEUSTO-MASTER" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0025565C35CF" Called-Station-Id = "000B860AB180" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201001701616c6d617274696e4064657573746f2e6573 Aruba-Essid-Name = "EDUROAM-TEST" Aruba-Location-Id = "CENTRAL.1.SERVICIO.INFORMATICO.SALAREUNIONES.ENFRENTE" Aruba-Attr-10 = 0x63656e7472616c5f7031 Message-Authenticator = 0x1c946e55c146881a2e6f2c5a17df8cd0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] Looking up realm "deusto.es" for User-Name = "almartin@deusto.es" [suffix] Found realm "deusto.es" [suffix] Adding Stripped-User-Name = "almartin" [suffix] Adding Realm = "deusto.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for almartin [ldap] expand: (UserPrincipalName=%{User-Name}) -> (UserPrincipalName= almartin@deusto.es) [ldap] expand: dc=deusto,dc=es -> dc=deusto,dc=es [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to altair.deusto.es:389, authentication 0 [ldap] bind as ***edited***/***edited*** to altair.deusto.es:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=deusto,dc=es, with filter (UserPrincipalName=almartin@deusto.es) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user almartin authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 105 to 192.168.250.250 port 38895 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x057cea91057ef3f9789cd4f7935cd400 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.250.250 port 38895, id=105, length=264 Sending duplicate reply to client eduroam-test port 38895 - ID: 105 Sending Access-Challenge of id 105 to 192.168.250.250 port 38895 Waking up in 0.9 seconds. Cleaning up request 0 ID 105 with timestamp +11 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x057cea91057ef3f9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. rad_recv: Access-Request packet from host 192.168.250.250 port 38895, id=105, length=264 User-Name = "almartin@deusto.es" NAS-IP-Address = 192.168.250.250 NAS-Port = 1 NAS-Identifier = "OAW-6000-DEUSTO-MASTER" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0025565C35CF" Called-Station-Id = "000B860AB180" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201001701616c6d617274696e4064657573746f2e6573 Aruba-Essid-Name = "EDUROAM-TEST" Aruba-Location-Id = "CENTRAL.1.SERVICIO.INFORMATICO.SALAREUNIONES.ENFRENTE" Aruba-Attr-10 = 0x63656e7472616c5f7031 Message-Authenticator = 0x1c946e55c146881a2e6f2c5a17df8cd0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] Looking up realm "deusto.es" for User-Name = "almartin@deusto.es" [suffix] Found realm "deusto.es" [suffix] Adding Stripped-User-Name = "almartin" [suffix] Adding Realm = "deusto.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for almartin [ldap] expand: (UserPrincipalName=%{User-Name}) -> (UserPrincipalName= almartin@deusto.es) [ldap] expand: dc=deusto,dc=es -> dc=deusto,dc=es [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=deusto,dc=es, with filter (UserPrincipalName=almartin@deusto.es) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user almartin authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 105 to 192.168.250.250 port 38895 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x59095fb0590b46eff97e2d6b327d0687 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.250.250 port 38895, id=105, length=264 Sending duplicate reply to client eduroam-test port 38895 - ID: 105 Sending Access-Challenge of id 105 to 192.168.250.250 port 38895 Waking up in 0.9 seconds. Cleaning up request 1 ID 105 with timestamp +21 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x59095fb0590b46ef did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. 2012/1/17 Alan DeKok <aland@deployingradius.com>
Alberto Martínez wrote:
Of course not. Give me some credit. BUT, in case I did, the debug would show an ugly TLS error instead of an error referencing a whole other issue.
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax: +34 - 94 413 91 01
Alberto Martínez wrote:
I've just purged FR, reinstalled, issued new certs, and I'm getting the same error while trying to authenticate from Linux.
Now I'll post the whole debug:
Follow the EAP howto on my web page: http://deployingradius.com I don't know what's wrong with your setup. There are a lot of moving parts in EAP authentication, and it's easy for something to go wrong. Following my Howto will either (a) work, or (b) tell you exactly what is going wrong. Posting the debug output with the *same* message is not helping. Also, the fact that the NAS retransmits the Access-Request is a problem. No, it's not a RADIUS problem. It's likely a problem with the NAS. Go look at *it's* logs to see what's going on. Alan DeKok.
On Tue, Jan 17, 2012 at 9:07 PM, Alberto Martínez <alberto_martinez@deusto.es> wrote:
Of course not.
So you're NOT using the same certificate?
Give me some credit. BUT, in case I did, the debug would show an ugly TLS error instead of an error referencing a whole other issue.
Actually, it'd be much easier to use the same certificates. The non-working one might be missing xpextension. Just something else to check. If you've used the same certificate, identical (or similar-enough) FR configs, one success and the other doesn't, then it's 100% not certificate issue. -- Fajar
My LDAP server uses SASL mechanism for authenticating uid/username against userPassword. How can I integrate this LDAp server with FreeRadius server and what all configuration need to be changed ???. On debug, my radius server shows following error. Kindly suggest Traffic flow as follows: Radius client--> Radius server--> Ldap server --> SASL Authentication---> Backend server rad_recv: Access-Request packet from host 10.168.109.120 port 42911, id=96, length=58 User-Name = "google" User-Password = "google@1234" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "google", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for google [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> google [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google) request done: ld 0x748c7d0 msgid 9 [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> google attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 Sending Access-Reject of id 96 to 10.168.109.120 port 42911 Waking up in 4.9 seconds. Regards Vijay -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
vijay t wrote:
My LDAP server uses SASL mechanism for authenticating uid/username against userPassword. How can I integrate this LDAp server with FreeRadius server and what all configuration need to be changed ???. On debug, my radius server shows following error. Kindly suggest
READ the debug output. FreeRADIUS is querying LDAP, and the LDAP server is returning "seach failed". Fix it so that (a) you're using the correct search parameters, or (b) there's a user in LDAP. Alan DeKok.
On 17/01/12 11:55, vijay t wrote:
My LDAP server uses SASL mechanism for authenticating uid/username against userPassword. How can I integrate this LDAp server with FreeRadius server and what all configuration need to be changed ???. On debug, my radius server shows following error. Kindly suggest
Read this: http://deployingradius.com/documents/protocols/compatibility.html And this: http://deployingradius.com/documents/protocols/oracles.html Short version: if you need to use "LDAP BIND", you can only support PAP authentication.
[ldap] expand: %{User-Name} -> google [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google) request done: ld 0x748c7d0 msgid 9 [ldap] object not found [ldap] search failed
Your first problem is that the LDAP Search has failed. Fix your LDAP search filter, or ensure the user exists.
Hello, Thanks for the quick response.... Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" ) Debug output "1" rad_recv: Access-Request packet from host 10.168.109.120 port 57709, id=24, length=58 User-Name = "101821" User-Password = "q" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "101821", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for 101821 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 101821 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=101821) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=101821) request done: ld 0x126be520 msgid 4 [ldap] Added User-Password = q in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user 101821 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "q" [pap] Using clear text password "q" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 24 to 10.168.109.120 port 57709 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 24 with timestamp +854 Ready to process requests. Debug output "2" rad_recv: Access-Request packet from host 10.168.109.120 port 54218, id=100, length=58 User-Name = "105900" User-Password = "sbt" NAS-IP-Address = 10.1.109.120 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "105900", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[smbpasswd] returns notfound [ldap] performing user authorization for 105900 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> 105900 [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=105900) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=105900) request done: ld 0x126be520 msgid 3 [ldap] Added User-Password = {SASL}suresht in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user 105900 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "sbt" [pap] Using clear text password "{SASL}suresht" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 105900 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 100 to 10.168.109.120 port 54218 Waking up in 4.9 seconds. Cleaning up request 1 ID 100 with timestamp +106 Ready to process requests. Regards Vijay On January 17, 2012 at 5:35 PM Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 17/01/12 11:55, vijay t wrote:
My LDAP server uses SASL mechanism for authenticating uid/username against userPassword. How can I integrate this LDAp server with FreeRadius server and what all configuration need to be changed ???. On debug, my radius server shows following error. Kindly suggest
Read this:
http://deployingradius.com/documents/protocols/compatibility.html
And this:
http://deployingradius.com/documents/protocols/oracles.html
Short version: if you need to use "LDAP BIND", you can only support PAP authentication.
[ldap] expand: %{User-Name} -> google [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google) [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google) request done: ld 0x748c7d0 msgid 9 [ldap] object not found [ldap] search failed
Your first problem is that the LDAP Search has failed. Fix your LDAP search filter, or ensure the user exists. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
vijay t wrote:
Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" )
And again, the debug output tells you what is going wrong. Read it. {SASL}... is NOT the users clear-text password. Why is that in the LDAP database? What led you to believe that FreeRADIUS understands it? You *do* understand how databases work, right? Alan DeKok.
On 17/01/12 14:04, Alan DeKok wrote:
vijay t wrote:
Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" )
And again, the debug output tells you what is going wrong. Read it.
{SASL}... is NOT the users clear-text password.
IIRC that's a special value that OpenLDAP uses; "{SASL}username" tells OpenLDAP to use the SASL library, with the username after the } and the password given in the bind request. So, he's using LDAP as an oracle to talk to an oracle. Maybe there's another oracle in there somewhere... I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult!
Phil Mayers wrote:
On 17/01/12 14:04, Alan DeKok wrote: IIRC that's a special value that OpenLDAP uses; "{SASL}username" tells OpenLDAP to use the SASL library, with the username after the } and the password given in the bind request.
Sure. But then LDAP should go do that lookup!
So, he's using LDAP as an oracle to talk to an oracle. Maybe there's another oracle in there somewhere...
Probably. As he said, it's FreeRADIUS -> LDAP -> SASL But... the debug log shows FreeRADIUS -> LDAP. So the LDAP-SASL link is broken. Is that a RADIUS problem? Nope.
I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult!
Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above. Alan DeKok.
Quoting Alan DeKok <aland@deployingradius.com>:
Phil Mayers wrote:
On 17/01/12 14:04, Alan DeKok wrote: .... I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult!
Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above.
Alan DeKok.
Aww, come on guys. Are such abusive speculations necessary? Never ascribe to malice that which is adequately explained by incompetence see http://en.wikipedia.org/wiki/Hanlon's_razor Though I'm more of a Heinlein fan myself. Dave.
David Mitton wrote:
Aww, come on guys. Are such abusive speculations necessary?
I've formed my opinions after reading the posts on this list. They generally fall into two categories. The first gives useful information, follows instructions, and gets the problem solved. The second doesn't do any of that. It's really that simple. I've been saying it for ~8 years, and haven't seen any reason to change. Look at the posts from the OP. The debug log shows what the errors are. The "help" on this list is largely just pointing out the messages from the debug log. The real abuse is from people who engage in name-calling, insults, curses, etc. Those people now get unsubscribed. Being factual? That may be hard to take for sensitive people. It's not abusive. Alan DeKok.
I guess he needs to set "Auth-Type"... I don't know why people construct these Heath Robinson systems that make their lives difficult!
Because they believe complicated systems are better. Because they can't follow instructions. Because they think they know better than people who've been doing it for 10+ years. Maybe all/some of the above.
Never ascribe to malice what can be attributed to ignorance. I have an alternate explanation. People construct convoluted systems because they lack a clear mental model of what is going on. Without an overarching understanding they either flail about or they take what they presume is the shortest path to a solution (e.g. LDAP can authenticate, I'll just use that). What is really missing is a simple document which ties all the pieces together so a newbie can form a mental model and design a uncomplicated efficient system. (Yes, I know, an old topic) I'm willing to bet most of the old hands on this list were also befuddled early on and the clarity was only arrived at by diligently peeling back the layers and learning each piece of the puzzle. That's not something a sys admin can do when he/she is given a week to deploy a RADIUS solution especially if they haven't had extensive formal training with networking, system services and authentication. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
John Dennis wrote:
I have an alternate explanation. People construct convoluted systems because they lack a clear mental model of what is going on. Without an overarching understanding they either flail about or they take what they presume is the shortest path to a solution (e.g. LDAP can authenticate, I'll just use that).
They lack a clear process. The *correct* process is documented in the radiusd "man" page, the wiki, and elsewhere. The EAP "howto" on my web page walks through this process in excruciating detail. Ignorance is understandable. You have *never* seen be get annoyed at someone for being ignorant. You *have* seen me get annoyed at people who refuse to learn.
What is really missing is a simple document which ties all the pieces together so a newbie can form a mental model and design a uncomplicated efficient system. (Yes, I know, an old topic)
Yup.
I'm willing to bet most of the old hands on this list were also befuddled early on and the clarity was only arrived at by diligently peeling back the layers and learning each piece of the puzzle.
For me, "diligent" == "having a good method". Method is *more* important than memorizing information. Why would you do that? You can get information about anything via "google".
That's not something a sys admin can do when he/she is given a week to deploy a RADIUS solution especially if they haven't had extensive formal training with networking, system services and authentication.
Yup. If I know nothing about car maintenance, I expect my mechanic to get annoyed when I try to do it myself, ask him questions, *and* make it clear I haven't read the manual. Alan DeKok.
Alan DeKok wrote:
Ignorance is understandable. You have *never* seen be get annoyed at
<sigh> It's getting late here. I need to go home and rest. What I meant to say was you've never seen me get annoyed at people for being ignorant. There are tons of things I don't know. Alan DeKok.
On 17/01/12 13:39, vijay t wrote:
[ldap] Added User-Password = {SASL}suresht in check items
This is all wrong. {SASL}user is only meaningful to the LDAP server. You'll just confuse FreeRADIUS with this; it won't work. You need to understand what you're trying to accomplish: 1. PAP request comes into FreeRADIUS 2. FreeRADIUS performs LDAP search to find LDAP user DN 3. FreeRADIUS makes LDAP BIND with LDAP user DN & PAP password Instead, you have FreeRADIUS doing this: 1. PAP request comes into FreeRADIUS 2. FreeRADIUS performs LDAP search to find LDAP user DN and "plaintext password" 3. FreeRADIUS tries to perform authentication locally using the "plaintext" password (actually {SASL}username) I'm not sure how you can accomplish what you want. You probably need to "hide" userPassword from FreeRADIUS, so that it can't see it. Basically, you're doing something weird. You're going to have to try and figure this out yourself, to a large extent.
participants (8)
-
Alan DeKok -
Alberto Martínez -
David Mitton -
Fajar A. Nugraha -
John Dennis -
Phil Mayers -
Sergio NNX -
vijay t