freeradius-proxy + PAP works, PEAP and the rest doesn´t
Hi, I´m really going crazy with freeradius. I want to setup a working freeradius proxy. Well, everything should have been configured correctly. I have my certificates, I have installed everything, so freeradius tells me no more errors when starting. Well, what do I want? - External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: There are two different requests. On (working) with local radtest, the other one with radeapclient. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/src/freeradius/key-bamberg.pem" tls: certificate_file = "/usr/src/freeradius/freeradius-cert.pem" tls: CA_file = "/usr/src/freeradius/chain.txt" tls: private_key_password = "oft36fW!" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "mschapv2" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:48444, id=88, length=82 User-Name = "user@domain.org" User-Password = "USERPASS" NAS-IP-Address = 255.255.255.255 NAS-Port = 1100 Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "domain.org" for User-Name = "user@domain.org" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user bamtest to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 Sending Access-Request of id 0 to 139.212.22.110 port 1812 User-Name = "user@domain.org" User-Password = "USERPASS" NAS-IP-Address = 255.255.255.255 NAS-Port = 1100 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x3838 --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Accept packet from host 139.212.22.110:1812, id=0, length=24 Proxy-State = 0x3838 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 modcall[post-proxy]: module "eap" returns noop for request 0 modcall: leaving group post-proxy (returns noop) for request 0 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type System rad_check_password: Found Auth-Type Warning: Found 2 auth-types on request for user 'user@domain.org' rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 88 to 127.0.0.1 port 48444 Finished request 0 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 88 with timestamp 486b8e97 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:50250, id=91, length=95 User-Name = "user@domain.org" Message-Authenticator = 0xbaff8358add39a88b6154d7d4d0fa754 EAP-Message = 0x02d2001d0162616d7465737440756e692e777565727a627572672e6465 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "domain.org" for User-Name = "user@domain.org" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user bamtest to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 1 rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 Sending Access-Request of id 1 to 139.212.22.110 port 1812 User-Name = "user@domain.org" Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x02d2001d0162616d7465737440756e692e777565727a627572672e6465 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x3931 #This message appears about 2000+ times: --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 0 seconds... . . . Waking up in 0 seconds... --- Walking the entire request list --- Waking up in 0 seconds... #/This message appears about 2000+ times rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = "Request Denied" Proxy-State = 0x3931 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 1 modcall[post-proxy]: module "eap" returns noop for request 1 modcall: leaving group post-proxy (returns noop) for request 1 Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:50250, id=91, length=95 Sending Access-Reject of id 91 to 127.0.0.1 port 50250 Reply-Message = "Request Denied" --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 91 with timestamp 486b8ea2 Nothing to do. Sleeping until we see a request. The question is: What did I do wrong?
uni@christiankraus.de wrote:
Well, what do I want?
- External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP.
That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check "validate server certificate" on the Windows box.
When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work.
Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5:
Don't run 1.1.7. Honest.
#/This message appears about 2000+ times
<shrug> It's 1.1.7.
rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = "Request Denied" Proxy-State = 0x3931
So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even FreeRADIUS? My guess is that the home server cannot do EAP. If so, why are you "going crazy with freeradius"? You're blaming the proxy for the actions of the home server. Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS. Alan DeKok.
hi, if you really are using freeradius as a proxy, as you stated, then you dont need certificates...as the system will JUST proxy. if you mean you want to terminate EAP on your freeradius, then please dont call it a proxy. get the terminology correct. what did you do wrong? well, since 1.1.7 and 2.0.5 need completely different configs, i doubt you could make the same mistake twice...you CANT use a 1.1.7 config on a 2.0.5 box. from what i can see, the daemon is clearly telling you something is wrong with your DH stuff. read eap.conf properly. get rid of that error. thats your primary task. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
uni@christiankraus.de