EAP-TLS User-Name not matching
First off, forgive me if this has been asked before on this list (I did do a search first, yet no results proved useful). I am on a fact finding mission to see whether freeradius is going to be feasible to deploy in my environment (~50 users over ~40 windows and linux desktops). On a test network I have configured an Ubuntu 9.10 Server with a patched freeradius that has openssl (oh what fun that was to build). I have so far altered the original configuration by only a few lines, as everywhere I go I see Alan screaming "Don't change the config!". I changed eap.conf by the following default_eap_type = tls ... fragment_size = 1024 include_length = yes I also changed users to include a few lines, most of which are incorrect, one of which may be correct (but I'm not sure). I added them one at a time in case one did the trick, but no such luck. example.com/user user@example.com host/user winlaptop/user WinLaptop/user I also edited client.conf to include my NAS (pretty standard change so I'm not going to detail it) The issue is when a windows client (A user by the name of user on a laptop named WinLaptop) attempts to connect, it cannot Authenticate. The error seems to be that the user name doesn't match between something and the TLS attrtibute. I would love more info on what this implies and how TLS and Radius work with each other. I get the following radiusd -X output: (sorry for the length) FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010 at 23:02:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 192.168.1.1 { ipaddr = 192.168.1.1 require_message_authenticator = no secret = "secret123" shortname = "AP" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 3079, id=0, length=145 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x6e28f191648ccbe2be4c4354a7975433 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 139 to 127.0.0.1 port 1812 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 139 to 127.0.0.1 port 1812 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=139, length=136 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xa892984cce17699fd5732b0db2faf7a8 Proxy-State = 0x30 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 139 to 127.0.0.1 port 1814 Proxy-State = 0x30 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=139, length=23 Proxy-State = 0x30 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 0 to 192.168.1.1 port 3079 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 139 with timestamp +8 Cleaning up request 0 ID 0 with timestamp +8 Ready to process requests. Thanks in advance for any help! ~Huckle Berry
Huckle Berry wrote:
First off, forgive me if this has been asked before on this list (I did do a search first, yet no results proved useful).
I am on a fact finding mission to see whether freeradius is going to be feasible to deploy in my environment (~50 users over ~40 windows and linux desktops). On a test network I have configured an Ubuntu 9.10 Server with a patched freeradius that has openssl (oh what fun that was to build).
? Building 2.1.7 with OpenSSL should be little more than editing a debian config file. 2.1.8 should be available in the Debian / Ubuntu repositories *with* OpenSSL support.
I have so far altered the original configuration by only a few lines, as everywhere I go I see Alan screaming "Don't change the config!".
Because people keep changing massive amounts of things they don't understand, and asking "why is it broken?"
I changed eap.conf by the following
default_eap_type = tls ... fragment_size = 1024 include_length = yes
Why?
[eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler
Hmm... it *should* print out reasons why it failed. There must be a code path (i.e. one that happens rarely) where this doesn't happen. Alan DeKok.
At this point, I'm wondering if I should put eap.conf back to it's original conf. Every tutorial I've seen has recommended those changes, but none of them were really for the 2.x.x version of freeradius. It's either that or the users file as those are the only two I've touched. Certainly most of the entries in users are incorrect... Is there another switch for for radiusd that would output a more verbose debug, such as what the User-Name is in and out of the eap? ~Huckle Berry On Sun, Jan 17, 2010 at 9:33 AM, Alan DeKok <aland@deployingradius.com>wrote:
HuckleBerry wrote:
default_eap_type = tls fragment_size = 1024 include_length = yes
Why?
[eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler
Hmm... it *should* print out reasons why it failed. There must be a code path (i.e. one that happens rarely) where this doesn't happen.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huckle Berry wrote:
At this point, I'm wondering if I should put eap.conf back to it's original conf. Every tutorial I've seen has recommended those changes, but none of them were really for the 2.x.x version of freeradius.
The documentation for FreeRADIUS says explicitly: nearly every third party "howto" is wrong.
Is there another switch for for radiusd that would output a more verbose debug, such as what the User-Name is in and out of the eap?
No. Alan DeKok.
Hi,
First off, forgive me if this has been asked before on this list (I did do a search first, yet no results proved useful).
I am on a fact finding mission to see whether freeradius is going to be feasible to deploy in my environment (~50 users over ~40 windows and linux desktops). On a test network I have configured an Ubuntu 9.10 Server with a patched freeradius that has openssl (oh what fun that was to build).
err, well, in that case the answer is yes. hundreds of Universities across Europe have installed FreeRADIUS to handle 802.1X authentication wired/wireless of their clients. at our site alone we have over 3000 clients per day authenticating against FR with concurrant usage being around 1200 wireless and 500 wired....with the remaining systems that arent yet configured STILL using FreeRADIUS for captive portal authentication and VMPS (and MAC auth bypass now). heck...for around 50 machines you even have the ability to just configure the clients by hand - even us EAP-TLS whereas for bigger numbers..the issue isnt FR - its the rollout or deployment of the required configuration
rad_recv: Access-Request packet from host 192.168.1.1 port 3079, id=0, length=145 User-Name = "user@example.com<mailto:user@example.com>" NAS-IP-Address = 192.168.1.1
cool. incoming request from NAS
[suffix] Looking up realm "example.com<http://example.com>" for User-Name = "user@example.com<mailto:user@example.com>" [suffix] Found realm "example.com<http://example.com>" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com<http://example.com>" [suffix] Proxying request from user user to realm example.com<http://example.com> [suffix] Preparing to proxy authentication request to realm "example.com<http://example.com>" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com<http://example.com>. Not doing EAP.
hmm. okay
[eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...}
okay. EAP user-name doesnt match the original identity...and no user found either. 2 things you need to ensure 1) in proxy.conf you have 'nostrip' defined for example.com 2) in users file you include the details for the user 'user' eg user Cleartext-Password := "password" alan
On Sun, Jan 17, 2010 at 3:33 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
okay. EAP user-name doesnt match the original identity...and no user found either.
2 things you need to ensure
1) in proxy.conf you have 'nostrip' defined for example.com
This was beginning to occur to me. Initially I ignored proxy.conf because i figured I would never need to proxy anything, but I now see FR proxies to itself... OK, I just tested this and it resulted in me DoS myself as the request bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened both with my eap.conf and the default eap.conf. Something about there being 200+ Proxy-State attributes.
2) in users file you include the details for the user 'user' eg
user Cleartext-Password := "password"
I'm using Certificate based authentication, with myself as the CA, so no password should be needed correct? Or is the Password used to sign the cert needed here?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huckle Berry wrote:
This was beginning to occur to me. Initially I ignored proxy.conf because i figured I would never need to proxy anything, but I now see FR proxies to itself...
It treats the inner tunnel session as a (largely) independent RADIUS request. This makes server design && configuration easier. It also means that FreeRADIUS has capabilities that other RADIUS servers don't have.
OK, I just tested this and it resulted in me DoS myself as the request bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened both with my eap.conf and the default eap.conf. Something about there being 200+ Proxy-State attributes.
So... don't do that. That proxy loop is *not* in the default configuration. It only happens when you try to force proxying for a realm to loop back to the server. Why would this *ever* be a good idea?
2) in users file you include the details for the user 'user' eg
user Cleartext-Password := "password"
I'm using Certificate based authentication, with myself as the CA, so no password should be needed correct? Or is the Password used to sign the cert needed here?
No. You don't need a password. Alan DeKok.
So I reverted to the default conf by copying the confs from the source package. I was forced to alter two lines. $diff eap.conf /etc/freeradius/eap.conf 155c155 < private_key_file = ${certdir}/server.pem ---
private_key_file = ${certdir}/server.key
$diff users /etc/freeradius/users 49a50,53
#################################### user ####################################
Other then those changes all confs are at their 'factory defaults'. Yet still I receive the access-reject packets that started this thread. radiusd -X output is below. (note: still using default certs) freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010 at 23:02:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 192.168.1.1 { ipaddr = 192.168.1.1 require_message_authenticator = no secret = "secret123" shortname = "AP" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 3078, id=0, length=145 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x8daf2ca02316bba446bc8cdbb431725b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry user at line 51 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=73, length=136 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x3819431fccc1316733e3aa053276a579 Proxy-State = 0x30 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry user at line 51 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 73 to 127.0.0.1 port 1814 Proxy-State = 0x30 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=73, length=23 Proxy-State = 0x30 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 0 to 192.168.1.1 port 3078 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 73 with timestamp +4 Cleaning up request 0 ID 0 with timestamp +4 Ready to process requests. So much for working 'out-of-the-box'. Certainly this is one of the primary things that freeradius was built to do and I'm sure there are plenty of people who have gotten this to work before. I'm sure the answer is some simple thing I'm overlooking. ~Huckle Berry On Mon, Jan 18, 2010 at 1:53 AM, Alan DeKok <aland@deployingradius.com>wrote:
Huckle Berry wrote:
This was beginning to occur to me. Initially I ignored proxy.conf because i figured I would never need to proxy anything, but I now see FR proxies to itself...
It treats the inner tunnel session as a (largely) independent RADIUS request. This makes server design && configuration easier. It also means that FreeRADIUS has capabilities that other RADIUS servers don't have.
OK, I just tested this and it resulted in me DoS myself as the request bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened both with my eap.conf and the default eap.conf. Something about there being 200+ Proxy-State attributes.
So... don't do that. That proxy loop is *not* in the default configuration. It only happens when you try to force proxying for a realm to loop back to the server.
Why would this *ever* be a good idea?
2) in users file you include the details for the user 'user' eg
user Cleartext-Password := "password"
I'm using Certificate based authentication, with myself as the CA, so no password should be needed correct? Or is the Password used to sign the cert needed here?
No. You don't need a password.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So I reverted to the default conf by copying the confs from the source package. I was forced to alter two lines. $diff eap.conf /etc/freeradius/eap.conf 155c155 < private_key_file = ${certdir}/server.pem ---
private_key_file = ${certdir}/server.key
$diff users /etc/freeradius/users 49a50,53
#################################### user ####################################
Other then those changes all confs are at their 'factory defaults'. Yet still I receive the access-reject packets that started this thread. radiusd -X output is below. (note: still using default certs) freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010 at 23:02:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 192.168.1.1 { ipaddr = 192.168.1.1 require_message_authenticator = no secret = "secret123" shortname = "AP" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 3078, id=0, length=145 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x8daf2ca02316bba446bc8cdbb431725b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry user at line 51 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=73, length=136 User-Name = "user" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x3819431fccc1316733e3aa053276a579 Proxy-State = 0x30 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry user at line 51 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 73 to 127.0.0.1 port 1814 Proxy-State = 0x30 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=73, length=23 Proxy-State = 0x30 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 0 to 192.168.1.1 port 3078 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 73 with timestamp +4 Cleaning up request 0 ID 0 with timestamp +4 Ready to process requests. So much for working 'out-of-the-box'. Certianly this is one of the primary things that freeradius was built to do and I'm sure there are plenty of people who have gotten this to work before. I'm sure the an ~Huckle Berry On Mon, Jan 18, 2010 at 1:53 AM, Alan DeKok <aland@deployingradius.com>wrote:
Huckle Berry wrote:
This was beginning to occur to me. Initially I ignored proxy.conf because i figured I would never need to proxy anything, but I now see FR proxies to itself...
It treats the inner tunnel session as a (largely) independent RADIUS request. This makes server design && configuration easier. It also means that FreeRADIUS has capabilities that other RADIUS servers don't have.
OK, I just tested this and it resulted in me DoS myself as the request bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened both with my eap.conf and the default eap.conf. Something about there being 200+ Proxy-State attributes.
So... don't do that. That proxy loop is *not* in the default configuration. It only happens when you try to force proxying for a realm to loop back to the server.
Why would this *ever* be a good idea?
2) in users file you include the details for the user 'user' eg
user Cleartext-Password := "password"
I'm using Certificate based authentication, with myself as the CA, so no password should be needed correct? Or is the Password used to sign the cert needed here?
No. You don't need a password.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, nostrip in the example.com in proxy.conf set the auth to LOCAL this will then get handled locally and the inner-tunnel will deal with the EAP properly. alan
I edited proxy.conf to include: realm example.com { nostrip } and I edited users to read: user Auth-Type := Local but no beans, back to the 200+ Proxy-State attributes and a DoS. I also tried a few capitalizations of the word 'local' just in case it was sensitive to that, still no luck. I'd include the radiusd -X so you could see it yourself, but it is longer than I'm willing to set my scrollback (2000+ lines). ~Huckle Berry On Mon, Jan 18, 2010 at 5:55 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
nostrip in the example.com in proxy.conf
set the auth to LOCAL
this will then get handled locally and the inner-tunnel will deal with the EAP properly.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huckle Berry wrote:
I edited proxy.conf to include: realm example.com <http://example.com> { nostrip } and I edited users to read: user Auth-Type := Local
Delete that. You don't need it.
but no beans, back to the 200+ Proxy-State attributes and a DoS.
Sorry but NOTHING in the default configuration causes the server to proxy packets to itself. If it is proxying packets to itself, the READ THE DEBUG OUTPUT. It will say WHY it is proxying packets to itself. Fix that configuration so it doesn't proxy packets to itself. Or, post that debug output here. It will be pretty obvious what's going wrong, and why. Alan DeKok.
On Mon, Jan 18, 2010 at 7:38 PM, Alan DeKok <aland@deployingradius.com>wrote:
Delete that. You don't need it.
Tossed the "Auth-Type := Local" -- I figured that was not needed
Sorry but NOTHING in the default configuration causes the server to proxy packets to itself.
Maybe proxy to itself was a bad way to describe it, you can interpret the
output yourself if you'd like. I took the last 4096 lines of output and cut out 198 of the Proxy-State attributes from each request, which brought it down to around 400 lines. Enjoy. This output is all from one request to authenticate from a WinXP client and only occurs when "nostrip" is present in proxy.conf under realm example.com. Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -X output begins below (last 4096 lines, shortened for brevity) Proxy-State = 0x313234 ... Proxy-State = 0x313937 Proxying request 184 to home server 127.0.0.1 port 1812 Sending Access-Request of id 138 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x313937 Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=138, length=980 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xe7395d8a2b4734f027531b160ce32c31 Proxy-State = 0x30 ... Proxy-State = 0x313937 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 243 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x313338 Proxying request 185 to home server 127.0.0.1 port 1812 Sending Access-Request of id 243 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x313338 Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=243, length=985 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x70e7c8fb3c9aeecfa1420e1d8684e7de Proxy-State = 0x30 ... Proxy-State = 0x313338 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 33 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x323433 Proxying request 186 to home server 127.0.0.1 port 1812 Sending Access-Request of id 33 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x313338 Proxy-State = 0x323433 Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=33, length=990 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x61f5446e99b9dda2c4002ec4f82d0774 Proxy-State = 0x30 ... Proxy-State = 0x323433 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 34 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x3333 Proxying request 187 to home server 127.0.0.1 port 1812 Sending Access-Request of id 34 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x3333 Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=34, length=994 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x03998bfa676bbe0703e5d46be2ac2c59 Proxy-State = 0x30 ... Proxy-State = 0x3333 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x3333 Proxy-State = 0x3334 Proxying request 188 to home server 127.0.0.1 port 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 ... Proxy-State = 0x3333 Proxy-State = 0x3334 Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=147, length=998 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xeba6020979709e88ea30973cdcf74295 Proxy-State = 0x30 ... Proxy-State = 0x3333 Proxy-State = 0x3334 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 241 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x3133 ... Proxy-State = 0x313437 Proxying request 189 to home server 127.0.0.1 port 1812 Sending Access-Request of id 241 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x323437 ... Proxy-State = 0x3334 Proxy-State = 0x313437 Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=241, length=1003 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x6821c9ece7894c509901e6be862a5159 Proxy-State = 0x30 ... Proxy-State = 0x3334 Proxy-State = 0x313437 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 163 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x3339 ... Proxy-State = 0x3334 Proxy-State = 0x313437 Proxy-State = 0x323431 Proxying request 190 to home server 127.0.0.1 port 1812 Sending Access-Request of id 163 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x3133 ... Proxy-State = 0x313437 Proxy-State = 0x323431 Going to the next request WARNING: Possible DoS attack from host 127.0.0.1: Too many attributes in request (received 201, max 200 are allowed). Waking up in 0.7 seconds. Waking up in 16.2 seconds.
Huckle Berry wrote:
Maybe proxy to itself was a bad way to describe it, you can interpret the output yourself if you'd like. I took the last 4096 lines of output
... from an endless loop which repeats the same thing. Why not send the *top* of the output, before it starts to loop back to itself? The debug output you posted does NOT match the other configs you sent. It clearly shows that the server is proxying to "example.com". This happens ONLY if you add "authhost" to the realm configuration for example.com. The config you posted for example.com did *not* have an "authhost" entry. And if you had posted the *top* of the debug output, it would have included the configuration for the "example.com" realm. Which would have showed *why* it was proxying Alan DeKok.
For all I know, the top of the output could be 10,000 (or more) lines up. Funny thing about endless loops, they tend to go on for quite a while. If you want, I'll post my conf files, which should be the same as the top of the output, no? The example.com realm should be in proxy.conf if you want any other confs just ask and I will post. $ grep -v -e \# proxy.conf proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = no response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server virtual.example.com { virtual_server = virtual.example.com } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } Like I said before though, I am running the default config (except for the nostrip line) so if authhost isn't set by default, I didn't add it. ~Huckle Berry On Tue, Jan 19, 2010 at 1:40 AM, Alan DeKok <aland@deployingradius.com>wrote:
Huckle Berry wrote:
Maybe proxy to itself was a bad way to describe it, you can interpret the output yourself if you'd like. I took the last 4096 lines of output
... from an endless loop which repeats the same thing.
Why not send the *top* of the output, before it starts to loop back to itself?
The debug output you posted does NOT match the other configs you sent. It clearly shows that the server is proxying to "example.com". This happens ONLY if you add "authhost" to the realm configuration for example.com.
The config you posted for example.com did *not* have an "authhost" entry.
And if you had posted the *top* of the debug output, it would have included the configuration for the "example.com" realm. Which would have showed *why* it was proxying
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huckle Berry wrote:
For all I know, the top of the output could be 10,000 (or more) lines up. Funny thing about endless loops, they tend to go on for quite a while.
Would re-directing the output to a file work?
Like I said before though, I am running the default config (except for the nostrip line) so if authhost isn't set by default, I didn't add it.
Try using a user from a realm *other* than example.com. Alan DeKok.
I sent out a message this morning w/ the log file output. But even that was 700+ lines and it needed approval before it was forwarded. Haven't heard anything back from the mod about it yet so I'm assuming it went through. If it didn't, let me know and I'll try to trim some of the output that isn't related to the error. ~Huckle Berry On Tue, Jan 19, 2010 at 9:20 AM, Alan DeKok <aland@deployingradius.com>wrote:
Huckle Berry wrote:
For all I know, the top of the output could be 10,000 (or more) lines up. Funny thing about endless loops, they tend to go on for quite a while.
Would re-directing the output to a file work?
Like I said before though, I am running the default config (except for the nostrip line) so if authhost isn't set by default, I didn't add it.
Try using a user from a realm *other* than example.com.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK so the message was blocked for length, here is ~ 450 lines, after this it basically repeats with new ID's several (hundred) times. FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Jan 19 2010 at 01:20:58 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.1 { require_message_authenticator = no secret = "secret123" shortname = "AP" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 3084, id=0, length=145 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x4596866c49ddc4b0e336c18ead553616 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "example.com" for User-Name = " user@example.com" rlm_realm: Found realm "example.com" rlm_realm: Adding Realm = "example.com" rlm_realm: Proxying request from user user to realm example.com rlm_realm: Preparing to proxy authentication request to realm " example.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 212 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 212 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=212, length=148 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x4791db4e63523707dc30aa86b4eb5d10 Proxy-State = 0x30 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "example.com" for User-Name = " user@example.com" rlm_realm: Found realm "example.com" rlm_realm: Adding Realm = "example.com" rlm_realm: Proxying request from user user to realm example.com rlm_realm: Preparing to proxy authentication request to realm " example.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x323132 Proxying request 1 to home server 127.0.0.1 port 1812 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x323132 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=180, length=153 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xd1cc78e5572f18ab760558efbf7db805 Proxy-State = 0x30 Proxy-State = 0x323132 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "example.com" for User-Name = " user@example.com" rlm_realm: Found realm "example.com" rlm_realm: Adding Realm = "example.com" rlm_realm: Proxying request from user user to realm example.com rlm_realm: Preparing to proxy authentication request to realm " example.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 25 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x323132 Proxy-State = 0x313830 Proxying request 2 to home server 127.0.0.1 port 1812 Sending Access-Request of id 25 to 127.0.0.1 port 1812 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "00904b1f9671" NAS-Identifier = "0016b6e2cc20" NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxy-State = 0x323132 Proxy-State = 0x313830 Going to the next request Waking up in 0.9 seconds. On Tue, Jan 19, 2010 at 9:20 AM, Alan DeKok <aland@deployingradius.com>wrote:
Huckle Berry wrote:
For all I know, the top of the output could be 10,000 (or more) lines up. Funny thing about endless loops, they tend to go on for quite a while.
Would re-directing the output to a file work?
Like I said before though, I am running the default config (except for the nostrip line) so if authhost isn't set by default, I didn't add it.
Try using a user from a realm *other* than example.com.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huckle Berry wrote:
OK so the message was blocked for length, here is ~ 450 lines, after this it basically repeats with new ID's several (hundred) times.
If you're not going to bother reading the messages here, I don't see why you're asking questions. I said:
Try using a user from a realm *other* than example.com
Alan DeKok.
There was also a suggestion to make example.com a LOCAL realm. Read proxy.conf for instructions on how to make LOCAL realms. Alan DeKok.
On Thu, Jan 21, 2010 at 1:48 AM, Alan DeKok <aland@deployingradius.com>wrote:
If you're not going to bother reading the messages here, I don't see why you're asking questions.
I thought the golden rule around here was Don't Touch the Conf's, it should just work. Using that information, I wanted to get everything working under the default conf before I went making changes. The other is issue is that this is a production environment I'm working in, so I can only fiddle with it at night when no one's around and put it back before morning, and even then it's only once or twice a week I can do this. This is why I don't get to test every single suggestion the day it is suggested. I will get to it eventually, but I have to guarantee no one is on the network first. There is no funding for a test lab yet. So it may take a few days for me to get output's for these. So here is my current experiment, change "user" from the users file to read "user@example.com Proxy-To-Realm := LOCAL, Auth-Type: EAP". What this has done for me. Now after [pap] has finished I see this output, which looks promising: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 3085 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c8c8a805d8f877c3b23b024f6c52334 OR I see this after [pap] finishes: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 01cf], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0088], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 3085 EAP-Message = 0x0104029a0d8000000290160301002a0200002603014b58d66df2beab... EAP-Message = 0x654e66d7258c14a9f79bcf1c8ee70bd2b801f39057a0bcaa434ba517... EAP-Message = 0x391081d76569059c3613f16442bc0edad9d95016030100880d000080... Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5c8c8a805e88877c3b23b024f6c52334 Finished request 42. The Windows host now states "Attempting to authenticate" as opposed to "Vailidating Identity"/"Failed to vaildate identity" as it did before. And the [tls] module is running now so this is obviously a step in the right direction. Adding or removing a Cleartext-Password or Reply-Message didn't affect the output greatly. ~Huckle Berry
Ok so I sent that last email off a little too prematurely, Some how in my various remakings of my certs, I ended up with no xpextensions.... Don't have time to test it now as I have to give the network back soon. Will report later. ~Huckle Berry
On Fri, Jan 22, 2010 at 12:13 AM, Huckle Berry <huck.berry@gmail.com> wrote:
Will report later.
I installed the new certs (I checked in the details tab on windows that both the server and client have the correct xpextentions) however the client still fails to respond. Just to be sure, I hopped over to my desktop, which runs linux, and set up Wicd for EAP-TLS and same results... Seems like it isn't a Windoze issue (as much as I'd liek it to be) Here's the relevant part of the log: rad_recv: Access-Request packet from host 192.168.1.1 port 3090, id=0, length=148 Cleaning up request 58 ID 0 with timestamp +233 User-Name = "user@example.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6e2cc20" Calling-Station-Id = "0016b659f0d7" NAS-Identifier = "0016b6e2cc20" NAS-Port = 62 Framed-MTU = 1400 State = 0x2c846de62e8760f57fd0c142afa7b978 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0x86dfb6f2b9a4a4a219ea59887d5563cc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry user@example.com at line 51 [files] expand: Hello, %{User-Name} -> Hello, user@example.com ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 3090 Reply-Message = "Hello, user@example.com" EAP-Message = 0x010404000dc000000b5703020102020900b66e36fdf4f33312300d06092... EAP-Message = 0x75733112301006035504071309536f6d657768657265311530130603550... EAP-Message = 0xeda0d0b5fe688a3f31d0d2569b4cf4d7f61a2196822bb2acee9a3ad4149... EAP-Message = 0x4652310f300d06035504081306526164697573311230100603550407130... EAP-Message = 0xd3c56640e3b3ce4de1c63af3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c846de62f8060f57fd0c142afa7b978 Finished request 59. Going to the next request Waking up in 4.9 seconds.
~Huckle Berry
Hi, The RADIUS packet has a 8 bit ID field. This ID field is used to track the requests both in the NAS and the RADIUS server. The question is, does the ID need to be unique between the NAS and RADIUS Server for all packet types? So it is OK to have an ID of 102 in an accounting packet and an ID of 102 for an authentication packet at the same time? Thanks, Padam
Padam J Singh wrote:
Hi,
The RADIUS packet has a 8 bit ID field.
This ID field is used to track the requests both in the NAS and the RADIUS server.
The question is, does the ID need to be unique between the NAS and RADIUS Server for all packet types? So it is OK to have an ID of 102 in an accounting packet and an ID of 102 for an authentication packet at the same time?
Yes. Alan DeKok.
On 1/23/2010 2:07 AM, Alan DeKok wrote:
Padam J Singh wrote:
Hi,
The RADIUS packet has a 8 bit ID field.
This ID field is used to track the requests both in the NAS and the RADIUS server.
The question is, does the ID need to be unique between the NAS and RADIUS Server for all packet types? So it is OK to have an ID of 102 in an accounting packet and an ID of 102 for an authentication packet at the same time?
Yes.
Really? But they're going to different destination ports, and therefore different interfaces? -Arran
Arran Cudbard-Bell wrote:
Really? But they're going to different destination ports, and therefore different interfaces?
The "unique" key is: (src ip/port, dst ip/port, RADIUS code / id) If there's no existing match, it's a new packet, and it can be processed. If there is an existing match, then: if (old vector == new vector) packet is DUP if cached reply send it again else if proxied re-transmit proxied packet else ignore dup else packet is new if old packet is done process new else WTF? Nothing could be simpler. :) Alan DeKok.
hi, I'm not sure what you've done to the default config...I've just untarred, ./configure, make, make install a fresh copy of 2.1.8 on a virtual server . then i edited the users files to make a test account and, straight away, did an EAP request to user@example.com and it just worked. alan
participants (5)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Huckle Berry -
Padam J Singh