I'm trying to use FreeRadius with OpenLDAP for authentication of some Nanostation M2 access points, but have had no luck getting it to work. When using rad_eap_test to experiment, I logged the following: Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "-removed-" [pap] Using CRYPT password "*" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Can anyone suggest what I'm doing wrong? The output for this section is the same with rad_eap_test or the AP itself.
Steve Hopps wrote:
I'm trying to use FreeRadius with OpenLDAP for authentication of some Nanostation M2 access points, but have had no luck getting it to work. When using rad_eap_test to experiment, I logged the following: ... [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user.
Can anyone suggest what I'm doing wrong? The output for this section is the same with rad_eap_test or the AP itself.
The password don't match. Enter the correct password. You can do these tests *without* EAP. See raddb/sites-available/inner-tunnel in 2.1.12. Alan DeKok.
We are using the correct password. There must be something broken causing the passwords not to match. That is what I'm looking for help to determine. On Fri, May 11, 2012 at 3:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
Steve Hopps wrote:
I'm trying to use FreeRadius with OpenLDAP for authentication of some Nanostation M2 access points, but have had no luck getting it to work. When using rad_eap_test to experiment, I logged the following: ... [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user.
Can anyone suggest what I'm doing wrong? The output for this section is the same with rad_eap_test or the AP itself.
The password don't match. Enter the correct password.
You can do these tests *without* EAP. See raddb/sites-available/inner-tunnel in 2.1.12.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14/05/12 15:07, Steve Hopps wrote:
We are using the correct password. There must be something broken causing the passwords not to match. That is what I'm looking for help to determine.
Send a full debug "radiusd -X". The trimmed debug doesn't show enough info. However, at a guess, this line: [pap] Using CRYPT password "*" ...suggests you are pulling a password from somewhere, possibly the "/etc/passwd" file via the "unix" module. Disable that module in your FreeRADIUS config.
I'll post the full log. It should be pulling from OpenLDAP. I had to censor the log in a few places, including the IP of the system I'm using to test, which I changed to 6.6.6.6 Thanks for helping me with this. FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "-removed-" shortname = "localhost" client 6.6.6.6 { ipaddr = 6.6.6.6 require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/radiusd.conf expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/radiusd.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/radiusd.conf unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/-company-.key" certificate_file = "/etc/freeradius/certs/-company-.crt" CA_file = "/etc/ssl/certs/-company-_ca.crt" private_key_password = "-removed-" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/radiusd.conf preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf ldap { server = "localhost" port = 389 password = "jajol3" identity = "cn=mailnet,dc=-company-,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=People,dc=-company-,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x1d590f0 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=0, length=119 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020000090174657374 Message-Authenticator = 0xcfdd7846ad5afe2989a9f95268623b3a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> test [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) [ldap] expand: ou=People,dc=-company-,dc=com -> ou=People,dc=-company-,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=mailnet,dc=-company-,dc=com/jajol3 to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=-company-,dc=com, with filter (uid=test) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 6.6.6.6 port 37880 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb8e744d2b8e6512586ca358443ebedd9 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=1, length=221 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0201005d150016030100520100004e03014fb11b438e0877f1e9c421589b99047fe00b8fc1d2d788894b86d392a0bd5b8500002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 State = 0xb8e744d2b8e6512586ca358443ebedd9 Message-Authenticator = 0x6b1438d07991cdb0b85b80ab8a1a06f0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 93 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0052], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 04bc], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 6.6.6.6 port 37880 EAP-Message = 0x0102040015c00000070b160301002a0200002603014fb11b430b856912bddd3828f0fa48e7534ff3b94cbaca674eb93fb65d847f430000390116030104bc0b0004b80004b50004b2308204ae3082029602011a300d06092a864886f70d01010505003081a5310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f31193017060355040a13106f6e53686f7265204e6574776f726b73310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792032311e301c06092a864886f70d010901160f6e6f EAP-Message = 0x63406f6e73686f72652e636f6d301e170d3130303531303136353130365a170d3132303530393136353130365a308193310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f31193017060355040a13106f6e53686f7265204e6574776f726b73310c300a060355040b13034e4f43311630140603550403140d2a2e6f6e73686f72652e636f6d311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bb0fbe4d48432f2a6c5755c5110fb093aed41cfe3addf51e77 EAP-Message = 0x59210a2595039824736d6964b4d927ca7deb7e3e2076143b6c1b0f599f6cc5d16c9bb2b6dab7e4b5b4566cea345d352739b0b40f41a82e17ab1438f996984d75baa4c812287eb171e9debbe5c996a325486ac26184b8b26e2e9930f6f8ecf691631eb1e3739bd95145846d8784b0131a78ab002509d47030da9359d99650613fa1e5d3f27511451b7e47c52e72a2d76d18f274f9c6f54531eb9d3bc34d73ed7daa178ba5e8460076b6e59ae33c32445d142930b5a97a6705ea95b5137e86c5a3f3f5420c527879963d9c2389ac3d4e28e6f1ec5e19b6e265d1142e495eca99fe8f1504fd76558b0203010001300d06092a864886f70d01010505000382 EAP-Message = 0x02010073d7768d817f3ea27e24f66ab7aa9d4432029343faddb79d4f7065e11b3f357f51398d4025cb897e771440b0296d7371f29157ccff12fa31a318e4804a128fd960867a0fde30e29eb679127a390625f8720243cf555128d58ff7790c510ad3a28322eb6940e73106b97553cb89efeaa0259892347bcddcaf3a679f1f29db9c861da5c0ca9080fd01f62a5198419fafa0c1f0cdb02348a06c00ae2f08d465a81f11824763806c2bb106e9b8ff5ffc9bee5da6d7b312c9d64845b24dc18546a5eae4aa7d32fdf0116aa4fea5bbbfdc61e30231867d85c5d93400f6d3d392cda0bdee6d496b6ad338f8d1df209344d96767015d1aeaf0f565d1fb31 EAP-Message = 0xd4aa0effb55cbe1d1d0855e5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb8e744d2b9e5512586ca358443ebedd9 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=2, length=134 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020200061500 State = 0xb8e744d2b9e5512586ca358443ebedd9 Message-Authenticator = 0xa88dcf7659c37f16f4089bab0fe8c06f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 6.6.6.6 port 37880 EAP-Message = 0x0103031f15800000070b2217e0f200669ddc9ff4b9381a2b5f6f8e8d6d7c58da01b3e66eaae9ccafc14091bf368b555a6303480bd438d2ff9f134ca9e022694b8bb6af556f028cc2be02147af1cc1687503624fe5c3e387fb1f8486e5543cdd61408927ff51a8ec5ee7ad44f28d1e738daea7038e507885af3c1fb47c4d6ddbcf86a0e0d72d71f24084daf305d6b7f778882527d79956aef5d2543ddbf99c50983439fdca0c4fe19d6d30d6fbd6a96688937fafb76904f982929c65e90cb918cdaf032f90d4ec38e266af9528fb919c533c18c3a1a406a1e6b36f9329ea3cd5ab99a162f5a2d5b6a1837335673a9619212dd18518e64e7d6fed9c1a3ed EAP-Message = 0x7dbc9870af7595160301020d0c0002090080b52fb0019c41b4ded3d72c6a9619520bd617f8cd4ed4538f0042d9315427d64fb7eb73a2711a2bad495619fbeffe34a97115a8a879068961db66e311d54f7dcf99af511a270e842640696c0a81bb8dc30e820c65f56c405c5223e5fd3cde3fff6026a788d22069dd08990ddef39b51bf9ef7ca58b8a3e3177107fceeaaf61e0b000102008035296cef92e0d9986d2a65127d06352c7b7a61bc68dae0b08f1e8c81403c589f900f4710c758d5f58ca45687ed2061ea6a78c75a00ec66189138d7778bf51fea999a4bfed4abfa9e26f194060c159f1834c43dbe061411f7eec4f2ead875f38cc0e1b0ea7d83 EAP-Message = 0x7f3dfc4e70771465b62042270f9d122f06f0ece466605c6127f401008e365da2b289cd4068c45628af4f789a54ea06b3aef08164efa6e20de9414c64c1c64a139795d73394136c289769f822aebadc1e1cb637f33beaad99b48b74d69df8c1957bd2e2aeccfcf20b56bafda3df3f291968a95aa6fb86709e50ccd0ef7c29f4b0b10e8e57eecb68288cc5257922a619695cefd3f3efe44d30bf7ef1a11c756c8ae5cd4fd9eabf7d2876b4443cd8d2a90d12fe29fa35c53592d7dc52bd6219161fe2252aaec8942bf5cf1920b30421448439ee6b04bf5f821698e1d221f64cade692eeb539e59d3eb2b6a56186debb889ba8fc80afa60850d71b464fb7be EAP-Message = 0xac101dc4e4d22ea2374a85783b2881ba0982336eb488802f539f8b248b5c9916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb8e744d2bae4512586ca358443ebedd9 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=3, length=332 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020300cc15001603010086100000820080333be0ce3b64552a01e630488fc361fbf000e2a5886bbb1affe090542631a93dd3ed36a9b5c12fca6068cd77501e5fd4572ad0df3639ede82640e00c93c2ffa835396339126239b134fc9efc1dd4a3cdf4bc2521f24c565ea87f2dcec3eb8323bbc6440c32fbd5cfa87c174e9e422980c4e01e7b331bd791d54d1b492fe59562140301000101160301003098739db445adb06b4f618257f4b93083abe461dfe8d7f074cf9c2674af87fcb6cff7b53d3a7856fce591e0d32ccd5cbb State = 0xb8e744d2bae4512586ca358443ebedd9 Message-Authenticator = 0xe9808c3761c45ed0a39aa2f5f43edfcf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 6.6.6.6 port 37880 EAP-Message = 0x0104004515800000003b1403010001011603010030e99df1915cf1d46a4e55e9794ceaf8d5ad367374f4ffcfb68fc932314653fe0aec21c6883437b8422ffd9b7fbfc848f4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb8e744d2bbe3512586ca358443ebedd9 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=4, length=240 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x02040070150017030100200efb8f893414c4d6a6ff5b39b378deb66bf4633f693d5dfd1d9b5a8efcd6c34d170301004043d02fac92995bbb9e8727814cf68bb0eccbddb77efd7b2f02fa1ed4d6ca547f88c1d927db79d0af791ac260cea141d1f0e30e9abce51cd4b260b2f74faa0c98 State = 0xb8e744d2bbe3512586ca358443ebedd9 Message-Authenticator = 0x4575c39e8df86de1d0777b9fac0ee347 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "test" User-Password = "test123" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "test" User-Password = "test123" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "test123" [pap] Using CRYPT password "*" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [test] (from client 6.6.6.6 port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client 6.6.6.6 port 0 cli 70-6F-6C-69-73-68) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 4 to 6.6.6.6 port 37880 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +4 Cleaning up request 1 ID 1 with timestamp +4 Cleaning up request 2 ID 2 with timestamp +4 Cleaning up request 3 ID 3 with timestamp +4 Waking up in 1.0 seconds. Cleaning up request 4 ID 4 with timestamp +4 Ready to process requests. On Mon, May 14, 2012 at 9:29 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 14/05/12 15:07, Steve Hopps wrote:
We are using the correct password. There must be something broken causing the passwords not to match. That is what I'm looking for help to determine.
Send a full debug "radiusd -X". The trimmed debug doesn't show enough info.
However, at a guess, this line:
[pap] Using CRYPT password "*"
...suggests you are pulling a password from somewhere, possibly the "/etc/passwd" file via the "unix" module. Disable that module in your FreeRADIUS config.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Steve Hopps wrote:
I'll post the full log. It should be pulling from OpenLDAP. I had to censor the log in a few places, including the IP of the system I'm using to test, which I changed to 6.6.6.6
And please check Phil's comment. It is *still* showing this: [pap] Using CRYPT password "*" THAT is the problem. "*" isn't a valid Crypt'd password. It's there because it's being read from /etc/passwd by the "unix" module. The "unix" module is doing that because your configuration is left over from an older version. This was changed in 2.1.10. From the ChangeLog: * No longer look users up in /etc/passwd in the default configuration. This can be reverted by enabling "unix" in the "authorize" section. In addition, the debug output *clearly* shows it's not getting anything from LDAP: [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access i.e. it found nothing. If you want it to read LDAP, then: a) delete the "unix" module from the "authorize" section b) don't test with a user who's in /etc/passwd c) ensure that the user exists in LDAP. Alan DeKok.
On 14/05/12 15:58, Steve Hopps wrote:
I'll post the full log. It should be pulling from OpenLDAP. I had to
It's not. You haven't configured it to do that.
Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf ldap { server = "localhost" port = 389
Ok, you have LDAP configured
rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=0, length=119 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020000090174657374 Message-Authenticator = 0xcfdd7846ad5afe2989a9f95268623b3a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop [ldap] performing user authorization for test
"ldap" is running in the "outer" tunnel; that's probably not where you want it. You need to put it in the "inner" tunnel. Compare and contrast sites-enabled/default and sites-enabled/inner-tunnel.
/etc/freeradius/sites-enabled/inner-tunnel
Note above, once the EAP outer tunnel has succeeded, further processing happens in the "sites-enabled/inner-tunnel" virtual server.
+- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns updated
^^^ this is the problem; the "unix" module is running inside the tunnel and extracting the password for the user "test" from the local /etc/passwd file Comment this line out. Then replace it with "ldap"
[suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "test123" [pap] Using CRYPT password "*" [pap] Passwords don't match ++[pap] returns reject
...and it fails.
Well I've been trying to follow the advice here and also what I've found online and in the configs. I attempted to revert to the 'default' config files for sites-enabled, as this project was dropped in my lap after months of another guy working on it and being frustrated, and I wasn't sure what kinds of changes he made. So I restored the files, and attempted some authorizing via the AP we're trying to set up, and here is the log result: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "-removed-" shortname = "localhost" } client 6.6.6.6 { ipaddr = 6.6.6.6 require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/radiusd.conf expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/-company-.key" certificate_file = "/etc/freeradius/certs/-company-.crt" CA_file = "/etc/ssl/certs/-company-_ca.crt" private_key_password = "-removed-" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/radiusd.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf ldap { server = "localhost" port = 389 password = "-removed-" identity = "cn=mailnet,dc=-company-,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=People,dc=-company-,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x2433ad0 Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf pap { encryption_scheme = "auto" auto_header = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/radiusd.conf unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/radiusd.conf preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 66.146.192.5 port 2048, id=162, length=153 User-Name = "test.account" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-22-FA-47-BF-FC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x029400100173746576652e686f707073 Message-Authenticator = 0x81f873df341d9673d57990eec5fcc8ca # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test.account", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 148 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 162 to 66.146.192.5 port 2048 EAP-Message = 0x019500061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbaa14185ba34547fb710ae7f68f390ce Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 66.146.192.5 port 2048, id=163, length=369 User-Name = "test.account" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-22-FA-47-BF-FC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x029500d6150016030100cb010000c703014fb158a423a9accba00b561fc886eb029ec41f0c00eede9e3e3c00470038275900005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 State = 0xbaa14185ba34547fb710ae7f68f390ce Message-Authenticator = 0xa19b4694e4af7c852f135c3ebbd8d8b5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test.account", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 149 length 214 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00cb], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 04bc], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 163 to 66.146.192.5 port 2048 EAP-Message = 0x0196040015c00000071216030100310200002d03014fb158a58c3d363c28bf774f98fdc796ff1b432548e5d9d240c0428e55546afc000039000005ff0100010016030104bc0b0004b80004b50004b2308204ae3082029602011a300d06092a864886f70d01010505003081a5310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f31193017060355040a13106f6e53686f7265204e6574776f726b73310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792032311e301c06092a864886f70d EAP-Message = 0x010901160f6e6f63406f6e73686f72652e636f6d301e170d3130303531303136353130365a170d3132303530393136353130365a308193310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f31193017060355040a13106f6e53686f7265204e6574776f726b73310c300a060355040b13034e4f43311630140603550403140d2a2e6f6e73686f72652e636f6d311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bb0fbe4d48432f2a6c5755c5110fb093aed4 EAP-Message = 0x1cfe3addf51e7759210a2595039824736d6964b4d927ca7deb7e3e2076143b6c1b0f599f6cc5d16c9bb2b6dab7e4b5b4566cea345d352739b0b40f41a82e17ab1438f996984d75baa4c812287eb171e9debbe5c996a325486ac26184b8b26e2e9930f6f8ecf691631eb1e3739bd95145846d8784b0131a78ab002509d47030da9359d99650613fa1e5d3f27511451b7e47c52e72a2d76d18f274f9c6f54531eb9d3bc34d73ed7daa178ba5e8460076b6e59ae33c32445d142930b5a97a6705ea95b5137e86c5a3f3f5420c527879963d9c2389ac3d4e28e6f1ec5e19b6e265d1142e495eca99fe8f1504fd76558b0203010001300d06092a864886f70d EAP-Message = 0x0101050500038202010073d7768d817f3ea27e24f66ab7aa9d4432029343faddb79d4f7065e11b3f357f51398d4025cb897e771440b0296d7371f29157ccff12fa31a318e4804a128fd960867a0fde30e29eb679127a390625f8720243cf555128d58ff7790c510ad3a28322eb6940e73106b97553cb89efeaa0259892347bcddcaf3a679f1f29db9c861da5c0ca9080fd01f62a5198419fafa0c1f0cdb02348a06c00ae2f08d465a81f11824763806c2bb106e9b8ff5ffc9bee5da6d7b312c9d64845b24dc18546a5eae4aa7d32fdf0116aa4fea5bbbfdc61e30231867d85c5d93400f6d3d392cda0bdee6d496b6ad338f8d1df209344d96767015d1a EAP-Message = 0xeaf0f565d1fb31d4aa0effb5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbaa14185bb37547fb710ae7f68f390ce Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 66.146.192.5 port 2048, id=164, length=161 User-Name = "test.account" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-22-FA-47-BF-FC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x029600061500 State = 0xbaa14185bb37547fb710ae7f68f390ce Message-Authenticator = 0x46e54dc8b4f72ceff6ac06465a4cd207 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test.account", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 150 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 164 to 66.146.192.5 port 2048 EAP-Message = 0x019703261580000007125cbe1d1d0855e52217e0f200669ddc9ff4b9381a2b5f6f8e8d6d7c58da01b3e66eaae9ccafc14091bf368b555a6303480bd438d2ff9f134ca9e022694b8bb6af556f028cc2be02147af1cc1687503624fe5c3e387fb1f8486e5543cdd61408927ff51a8ec5ee7ad44f28d1e738daea7038e507885af3c1fb47c4d6ddbcf86a0e0d72d71f24084daf305d6b7f778882527d79956aef5d2543ddbf99c50983439fdca0c4fe19d6d30d6fbd6a96688937fafb76904f982929c65e90cb918cdaf032f90d4ec38e266af9528fb919c533c18c3a1a406a1e6b36f9329ea3cd5ab99a162f5a2d5b6a1837335673a9619212dd18518e64 EAP-Message = 0xe7d6fed9c1a3ed7dbc9870af7595160301020d0c0002090080b52fb0019c41b4ded3d72c6a9619520bd617f8cd4ed4538f0042d9315427d64fb7eb73a2711a2bad495619fbeffe34a97115a8a879068961db66e311d54f7dcf99af511a270e842640696c0a81bb8dc30e820c65f56c405c5223e5fd3cde3fff6026a788d22069dd08990ddef39b51bf9ef7ca58b8a3e3177107fceeaaf61e0b00010200808b95619654cc7cad72e6d860b563488e93e799b169851dff161f99ffada74c0b5caa01fe654231dd9b806af7b5ce03a2d5a86d42eb0ab131bf2dec93af82d875f4912b2db6709a82950278a349b78f1347ea79e3d389e99b31db5a0209d765 EAP-Message = 0x3c8a10ba52ed1fb2c8df0772de0b0a78ebf0c060ad6817dda1ed879f70377bdbe40100479f0778c90f0c80e039bf4304abcf1f563e073fd83adb0ec48e51ed81a52792c8af1192eb5177a88848171122653c8bed30c34001184551b029a908d141433afe00d4d68700393aab57d4f7a189218cda4cf40820bbe5b4ec107d960861a1cf26d4f24e8eec93e907d1db1fe951e3d213caa777402a4e138ef57ba31c60b0964b319c67a63717bbd18e1d4ffabe1f5169b15b89b55ff8cca70e9706f1b5435ad7fea8b3440c9a7d5e2b22cb6ba9d14ebf0a5db35f769329f7d0cb6d46b8631a004da9347b3ad34ce189b1c22761bfbb601f02228aa8e5887db7 EAP-Message = 0x8504ce4234a11267748e3dbc3e9c6975998c90dc1bcbb795c92196e0350a1fbde5630162b26316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbaa14185b836547fb710ae7f68f390ce Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 66.146.192.5 port 2048, id=165, length=359 User-Name = "test.account" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-22-FA-47-BF-FC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x029700cc150016030100861000008200807ff5c09b6278ba0b8eac6c30dd440a8beb12921c8b11a0f2caefe3f9d170cd2368207701e8e93f15bf7a56d8e0581203395eca3943a7468eb01d09a40264eb81b3b07496bdf6c7acccd3ffab4896dfee1eac7e0124f1aa1f3edd3a514a730e15d1a242e27f9441fff25d1a551de4ff9113d5213cfca5b5fd5baedf09f412291b140301000101160301003000b2be90745e592a791f83f06315ba2ad530e33d9847a7dc21c14b267990d2d91a03f5520194c34ab6a2e31b668105b7 State = 0xbaa14185b836547fb710ae7f68f390ce Message-Authenticator = 0x25485d5a38c48bc1ab386904cfd96c88 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test.account", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 151 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 165 to 66.146.192.5 port 2048 EAP-Message = 0x0198004515800000003b1403010001011603010030617c9c272d9b82e4fa9285e960b2d9f725fb060f58a9a81474c4319da7a81fd37979f8660a5766e28ecb247ec66fc470 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbaa14185b939547fb710ae7f68f390ce Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 66.146.192.5 port 2048, id=166, length=299 User-Name = "test.account" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-22-FA-47-BF-FC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0298009015001703010020bf7b81f2d9d284fb074760c712c39dc39c23a6895dea13ec8b17c0c988ac61381703010060151d4e77c4a8ac62fcae21cc233bacc6f60d2f27be9f44cf7016ac9fbaf267f9079eaa3709ffc7772445abb958c426c391fd29239bda404025a697793c803305b7246dd2c00cd97334416440be22057e1e8b8eb782dfce6603f09f943ff98a94 State = 0xbaa14185b939547fb710ae7f68f390ce Message-Authenticator = 0xee653bae0651c140d860abd2356b8f25 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test.account", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 152 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "test.account" User-Password = "-removed-" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "test.account" User-Password = "-removed-" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test.account", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for test.account [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> test.account [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test.account) [ldap] expand: ou=People,dc=-company-,dc=com -> ou=People,dc=-company-,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=mailnet,dc=-company-,dc=com/-removed- to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=-company-,dc=com, with filter (uid=test.account) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user test.account authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [test.account] (from client 66.146.192.5 port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test.account] (from client 66.146.192.5 port 0 cli 00-22-FA-47-BF-FC) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test.account attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 166 to 66.146.192.5 port 2048 EAP-Message = 0x04980004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 162 with timestamp +12 Cleaning up request 1 ID 163 with timestamp +12 Cleaning up request 2 ID 164 with timestamp +12 Cleaning up request 3 ID 165 with timestamp +12 Waking up in 1.0 seconds. Cleaning up request 4 ID 166 with timestamp +12 Ready to process requests. ---------------------- It seems to me it is working all the way up until "ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user" but perhaps I'm overlooking something. I appreciate any further assistance anyone can offer. On Mon, May 14, 2012 at 10:22 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 14/05/12 15:58, Steve Hopps wrote:
I'll post the full log. It should be pulling from OpenLDAP. I had to
It's not. You haven't configured it to do that.
Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf ldap { server = "localhost" port = 389
Ok, you have LDAP configured
rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=0, length=119 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020000090174657374 Message-Authenticator = 0xcfdd7846ad5afe2989a9f95268623b3a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop [ldap] performing user authorization for test
"ldap" is running in the "outer" tunnel; that's probably not where you want it. You need to put it in the "inner" tunnel.
Compare and contrast sites-enabled/default and sites-enabled/inner-tunnel.
/etc/freeradius/sites-enabled/inner-tunnel
Note above, once the EAP outer tunnel has succeeded, further processing happens in the "sites-enabled/inner-tunnel" virtual server.
+- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns updated
^^^ this is the problem; the "unix" module is running inside the tunnel and extracting the password for the user "test" from the local /etc/passwd file
Comment this line out. Then replace it with "ldap"
[suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "test123" [pap] Using CRYPT password "*" [pap] Passwords don't match ++[pap] returns reject
...and it fails.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Well I've been trying to follow the advice here and also what I've found online and in the configs. I attempted to revert to the 'default' config files for sites-enabled, as this project was dropped in my lap after months of another guy working on it and being frustrated, and I wasn't sure what kinds of changes he made.
bad luck. ..and even badder that one of the more exotic implementations EAP with LDAP) is being looked at. if the system has NEVER got to a working state then I'd advise to start from scratch (and ideally with the latest release version 2.1.12 - rather than 2.1.10 which has lots of interesting bugs... you wouldnt start a new project with Windows ME would you? :-) so.....you are trying to use LDAP..and from the logs, it looks like LDAP was queried in the inner-tunnel (ie after EAP session has been started)...but no user password was found.....which then makes me wonder if the userPassword attribute you want to use is storing the password in a suitable form? is it stored as plain text or NT-Hash? If not, this wont work. alan
I was able to get this working, thanks for all your help everyone On Mon, May 14, 2012 at 4:51 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Well I've been trying to follow the advice here and also what I've found online and in the configs. I attempted to revert to the 'default' config files for sites-enabled, as this project was dropped in my lap after months of another guy working on it and being frustrated, and I wasn't sure what kinds of changes he made.
bad luck. ..and even badder that one of the more exotic implementations EAP with LDAP) is being looked at.
if the system has NEVER got to a working state then I'd advise to start from scratch (and ideally with the latest release version 2.1.12 - rather than 2.1.10 which has lots of interesting bugs... you wouldnt start a new project with Windows ME would you? :-)
so.....you are trying to use LDAP..and from the logs, it looks like LDAP was queried in the inner-tunnel (ie after EAP session has been started)...but no user password was found.....which then makes me wonder if the userPassword attribute you want to use is storing the password in a suitable form? is it stored as plain text or NT-Hash? If not, this wont work.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Steve Hopps wrote:
We are using the correct password.
You can believe what the server sees. Or you can believe a fantasy. It's that simple.
There must be something broken causing the passwords not to match. That is what I'm looking for help to determine.
As Phil said, post the FULL debug log. Posting snippets is useless. Alan DeKok.
Hi,
We are using the correct password. There must be something broken causing the passwords not to match. That is what I'm looking for help to determine.
WHERE are you using the correct password? if the client is being given the correct password, then where are the usernames and paswords being stored, LDAP, SQL, users file, /etc/password? if you have multiple sources, one of them is wrong. alan
participants (4)
-
alan buxey -
Alan DeKok -
Phil Mayers -
Steve Hopps