Freeradius doesn't detect EAP when authenticating against MySQL
Hi, I'm trying to use my existing freeradius server and mysql database to add 802.1X PEAP functionality to my wireless network. Currently, it works great authenticating my cisco device logins. However, after setting the peap stuff up, when I try to log in with a user on the wireless, it -seems to get the wrong auth-type, and fails. Here's what happens:
rad_recv: Access-Request packet from host 192.168.1.10:2050, id=0, length=125 User-Name = "growse" NAS-IP-Address = 192.168.1.10 Called-Station-Id = "0016b6edfe1b" Calling-Station-Id = "000e35bd8c13" NAS-Identifier = "0016b6edfe1b" NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = <some stuff> Message-Authenticator = <more stuff> Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "growse", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 radius_xlat: 'growse' rlm_sql (sql): sql_set_user escaped user --> 'growse' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'growse' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'growse' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'growse' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'growse' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [growse] (from client wlan port 34 cli 000e35bd8c13)
However, if I put something like: "testuser" Auth-Type = EAP, User-Password := "test" in the users file and use the test credentials on the wireless client, it works fine. I've read a bunch of things saying that the Auth-Type aatribute shouldn't need to be set and that it should figure out that it's EAP by itself. However when using the sql db as a credentials store it can't seem to figure out that it's an EAP request. Any ideas how to fix this? Thanks, Andrew
users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local
What is that DEFAULT entry? Is Auth-Type Local coming from there? Or do you have in the database? It had to come from somewhere. And what Freeradius version are you using? User-Password should not be used in recent server versions. Ivan Kalik Kalik Informatika ISP
tnt@kalik.co.yu wrote:
users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local
What is that DEFAULT entry? Is Auth-Type Local coming from there? Or do you have in the database? It had to come from somewhere.
The DEFAULT entry in the users is for an auth-type of System. There's nothing in the DB that specifies an auth-type.
And what Freeradius version are you using? User-Password should not be used in recent server versions.
Freeradius version is 1.1.6. What do you mean about User-Password shouldn't be used? Thanks, Andrew
Read the documentation (wiki, users file). For 1.1.6. you should be using Cleartext-Password attribute. Ivan Kalik Kalik Informatika ISP Dana 8/9/2007, "Andrew Rowson" <freeradius@growse.com> piše:
tnt@kalik.co.yu wrote:
users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local
What is that DEFAULT entry? Is Auth-Type Local coming from there? Or do you have in the database? It had to come from somewhere.
The DEFAULT entry in the users is for an auth-type of System. There's nothing in the DB that specifies an auth-type.
And what Freeradius version are you using? User-Password should not be used in recent server versions.
Freeradius version is 1.1.6. What do you mean about User-Password shouldn't be used?
Thanks,
Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
Read the documentation (wiki, users file). For 1.1.6. you should be using Cleartext-Password attribute.
Ok, I updated the radcheck table in mysql so that the atttibute read "Cleartext-Password". I now get a different result when trying to log in from the wlan: rlm_sql (sql): No matching entry in the database for request from user [growse] modcall[authorize]: module "sql" returns notfound for request 7 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [growse] (from client wlan port 34 cli 000e35bd8c13) For some reason, sql is now returning "not found", presumably because it's looking for the "Password" attribute and doesn't understand "Cleartext-Password" (just guessing here). However, the correct auth-type is now set, although it rejects the user. Is it rejecting because the sql module returned notfound? Also, my cisco device logins have now broken since updating this attribute, I'm guessing because the sql module can't authenticate the user against the db? Thanks, Andrew
Dana 8/9/2007, "Andrew Rowson" <freeradius@growse.com> piše:
tnt@kalik.co.yu wrote:
users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local
What is that DEFAULT entry? Is Auth-Type Local coming from there? Or do you have in the database? It had to come from somewhere. The DEFAULT entry in the users is for an auth-type of System. There's nothing in the DB that specifies an auth-type.
And what Freeradius version are you using? User-Password should not be used in recent server versions. Freeradius version is 1.1.6. What do you mean about User-Password shouldn't be used?
Thanks,
Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Andrew Rowson wrote:
Ok, I updated the radcheck table in mysql so that the atttibute read "Cleartext-Password". I now get a different result when trying to log in from the wlan: ... rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
Please post the *previous* debug messages, which indicate *why* the user was rejected.
Also, my cisco device logins have now broken since updating this attribute, I'm guessing because the sql module can't authenticate the user against the db?
No. The SQL module doesn't authenticate users. Again, read the *entire* debug log to see what's going on. Alan DeKok.
Alan DeKok wrote:
Andrew Rowson wrote:
Ok, I updated the radcheck table in mysql so that the atttibute read "Cleartext-Password". I now get a different result when trying to log in from the wlan: ... rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
Please post the *previous* debug messages, which indicate *why* the user was rejected.
A complete output dump from freeradius is quite long, so I've hosted it at http://public.growse.com/radiusd.log Looking over it, it seems that a problem comes up with the MSCHAP bit: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14 This appears to imply that there's no User-Password entry found anywhere for the user in the database. This would be correct, as the attribute in the radcheck table is set to Cleartext-Password. Anything other than Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, but Local instead, going back to my original problem. Andrew
Also, my cisco device logins have now broken since updating this attribute, I'm guessing because the sql module can't authenticate the user against the db?
No. The SQL module doesn't authenticate users.
Again, read the *entire* debug log to see what's going on.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Andrew Rowson wrote:
Looking over it, it seems that a problem comes up with the MSCHAP bit:
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14
This appears to imply that there's no User-Password entry found anywhere for the user in the database. This would be correct, as the attribute in the radcheck table is set to Cleartext-Password. Anything other than Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, but Local instead, going back to my original problem.
What does the database contain? Cleartext-Password == password, or Cleartext-Password := password ? Alan DeKok.
On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <aland@deployingradius.com> wrote:
Andrew Rowson wrote:
Looking over it, it seems that a problem comes up with the MSCHAP bit:
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14
This appears to imply that there's no User-Password entry found anywhere for the user in the database. This would be correct, as the attribute in the radcheck table is set to Cleartext-Password. Anything other than Cleartext-Password and freeradius doesn't attempt an auth-type of EAP, but Local instead, going back to my original problem.
What does the database contain? Cleartext-Password == password, or Cleartext-Password := password ?
The database contains Cleartext-Password == password. I've tried it with :=, but if I remember correctly that fails as well, with the Auth-type being set to local again. I'll see if I can get a log of that failure as well, if it'd be helpful? Andrew
Andrew Rowson wrote:
The database contains Cleartext-Password == password. I've tried it with :=, but if I remember correctly that fails as well,
Use := for Cleartext-Password.
with the Auth-type being set to local again. I'll see if I can get a log of that failure as well, if it'd be helpful?
No. Upgrade to 1.1.7, I think it solves this problem. Alan DeKok.
Alan DeKok wrote:
Andrew Rowson wrote:
The database contains Cleartext-Password == password. I've tried it with :=, but if I remember correctly that fails as well,
Use := for Cleartext-Password.
My radcheck table is now looking like this: +----+------------+--------------------+----+-----------+ | id | UserName | Attribute | op | Value | +----+------------+--------------------+----+-----------+ | 1 | growse | Cleartext-Password | := | password1 |
with the Auth-type being set to local again. I'll see if I can get a log of that failure as well, if it'd be helpful?
No.
Upgrade to 1.1.7, I think it solves this problem.
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? Thanks, Andrew
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log
I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db?
modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation.
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log
I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db?
modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request]
Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation.
I had the following on line 155, which when commented out, seems to make no difference. DEFAULT Auth-Type = System Fall-Through = 1 Andrew
Andrew Rowson wrote:
I had the following on line 155, which when commented out, seems to make no difference.
DEFAULT Auth-Type = System Fall-Through = 1
(1) Start off with the default radiusd.conf in 1.1.7. (2) Change just enough to enable tls and peap (3) run the tests There is NOTHING in the default config that forces "Auth-Type := Local". If you see it happening, it's because of some configuration on your system that is NOT normal. Alan DeKok.
Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, "Andrew Rowson" <freeradius@growse.com> piše:
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log
I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db?
modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request]
Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation.
I had the following on line 155, which when commented out, seems to make no difference.
DEFAULT Auth-Type = System Fall-Through = 1
Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck.
Ivan Kalik Kalik Informatika ISP
I feel really stupid now. It was sitting there in radgroupcheck setting the auth-type to local. ARGH. Ok, regroup. The new output is in the same place as before (http://public.growse.com/radiusd.log) - it sets the auth-type to EAP and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP. Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue? Thanks for everyone's help so far. Andrew
Dana 16/9/2007, "Andrew Rowson" <freeradius@growse.com> piše:
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log
I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db?
modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request]
Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference.
DEFAULT Auth-Type = System Fall-Through = 1
Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, AP is not responding. Request is for wireless access and attributes in the reply are for shell access. It might not like that. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, "Andrew Rowson" <freeradius@growse.com> piše:
tnt@kalik.co.yu wrote:
Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck.
Ivan Kalik Kalik Informatika ISP
I feel really stupid now. It was sitting there in radgroupcheck setting the auth-type to local.
ARGH.
Ok, regroup. The new output is in the same place as before (http://public.growse.com/radiusd.log) - it sets the auth-type to EAP and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP.
Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue?
Thanks for everyone's help so far.
Andrew
Dana 16/9/2007, "Andrew Rowson" <freeradius@growse.com> piše:
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log
I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db?
modcall[authorize]: module "sql" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request]
Remove whatever is on line 155 of the "users" file; it is setting Auth-Type (almost always a bad idea) to "Local" so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference.
DEFAULT Auth-Type = System Fall-Through = 1
Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, 2007-09-16 at 22:08 +0100, Andrew Rowson wrote:
tnt@kalik.co.yu wrote:
Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck.
Ivan Kalik Kalik Informatika ISP
I feel really stupid now. It was sitting there in radgroupcheck setting the auth-type to local.
ARGH.
Ok, regroup. The new output is in the same place as before (http://public.growse.com/radiusd.log) - it sets the auth-type to EAP
Sigh. Don't set the Auth-Type AT ALL. The only legitimate uses are: * setting it to Accept for PAP requests * setting it to Reject * setting it to the name of a specific instance where there are >1 of the same type of auth module with different configs (e.g. 2 different LDAPs or 2 different mschap) The "eap" module will itself detect the request is eap and (assuming the server is configured correctly, as it is by default) set the Auth-Type. By forcing it manually, you are guaranteeing that certain authentication configurations will fail.
and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP.
Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue?
I don't know why you're returning: Cisco-AVPair = "shell:priv-lvl=15" Service-Type = Administrative-User ...to an access point EAP session; neither make any sense, and I suppose could be mucking things up, but most likely the problem lies with the supplicant rather than the AP. It may not like the SSL server certificate, though from what I can see it's not getting that far. Is the supplicant configured to do EAP-TLS? It's apparent you've done a serious amount of fiddling with the default configs. I suggest doing a default/clean install, and starting from the most basic - a user in the "users" file: username Cleartext-Password := "foobar" Check if they can authenticate. Then setup the sql module, put the above AND ONLY THE ABOVE entries in the database, and test again. Making once change at a time will allow you to pin down the problem; at the moment, there are lots of things it *could* be.
Phil Mayers wrote:
Sigh.
Don't set the Auth-Type AT ALL. The only legitimate uses are:
* setting it to Accept for PAP requests * setting it to Reject * setting it to the name of a specific instance where there are >1 of the same type of auth module with different configs (e.g. 2 different LDAPs or 2 different mschap)
The "eap" module will itself detect the request is eap and (assuming the server is configured correctly, as it is by default) set the Auth-Type. By forcing it manually, you are guaranteeing that certain authentication configurations will fail.
I know all this now, I didn't before. I set this server up a while back to handle my cisco device logins, I can't remember why I'd put that in radgroupcheck. It's not removed.
and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP.
Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue?
I don't know why you're returning:
Cisco-AVPair = "shell:priv-lvl=15" Service-Type = Administrative-User
...to an access point EAP session; neither make any sense, and I suppose could be mucking things up, but most likely the problem lies with the supplicant rather than the AP. It may not like the SSL server certificate, though from what I can see it's not getting that far. Is the supplicant configured to do EAP-TLS?
I'm returning these because, as above, I want to use the same credentials as those that I use for logging into my cisco routers, and I want to pass those attributes when I log into a router. It's true they could be confusing things for the AP, but is there a way to not return them when the auth type is detected as EAP? Or do I have to use a completely different set of credentials?
It's apparent you've done a serious amount of fiddling with the default configs. I suggest doing a default/clean install, and starting from the most basic - a user in the "users" file:
username Cleartext-Password := "foobar"
Check if they can authenticate. Then setup the sql module, put the above AND ONLY THE ABOVE entries in the database, and test again. Making once change at a time will allow you to pin down the problem; at the moment, there are lots of things it *could* be.
I will do this.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry if this has been posted more than once, mailing list rejected message
twice.
Hello,
I have a simillar problem with EAP-MD5 authenticating against MySQL
DataBase.
Whatever i do, it won't accept password, which is stored in the MySQL db
using MD5('') function. However, if i send a password's hash as password it
accepts it, which indicates something is not hashing password before
comparing to the hash in the db.
I have done pretty much all mentioned in this mailing conversation, even
upgraded to Ubuntu Gutsy, which has 1.1.6 version on FreeRadius. I had
Feisty before, which has 1.1.3, haven't tried compiling though, to latest
1.1.7.
I do not understand, should the Windows XP's supplicant encrypt password
prior to sending, or does it send it in cleartext and the radius encrypts
before comparing? Windows doesn't have any extra option about this, so I'm
thinking should i change the supplicant software, perhaps w2secure, although
I'm setting up a LAN authentication for 250 users, and pretty much all use
windows and would like to avoid installing extra supplicant?
Any thoughts are appreciated.
Greetz,
primski
Andrew Rowson wrote:
>
>
>
> Phil Mayers wrote:
>> Sigh.
>>
>> Don't set the Auth-Type AT ALL. The only legitimate uses are:
>>
>> * setting it to Accept for PAP requests
>> * setting it to Reject
>> * setting it to the name of a specific instance where there are >1 of
>> the same type of auth module with different configs (e.g. 2 different
>> LDAPs or 2 different mschap)
>>
>> The "eap" module will itself detect the request is eap and (assuming the
>> server is configured correctly, as it is by default) set the Auth-Type.
>> By forcing it manually, you are guaranteeing that certain authentication
>> configurations will fail.
>
> I know all this now, I didn't before. I set this server up a while back
> to handle my cisco device logins, I can't remember why I'd put that in
> radgroupcheck. It's not removed.
>
>>> and seems to issue the attributes (my cisco priv ones are there) ok. My
>>> laptop still doesn't get an IP address, but this may now be an issue
>>> with the AP.
>>>
>>> Can I safely now say that freeradius is behaving correctly and the issue
>>> is now with the AP, or does the above output still point to a freeradius
>>> issue?
>>
>> I don't know why you're returning:
>>
>> Cisco-AVPair = "shell:priv-lvl=15"
>> Service-Type = Administrative-User
>>
>> ...to an access point EAP session; neither make any sense, and I
>> suppose could be mucking things up, but most likely the problem lies
>> with the supplicant rather than the AP. It may not like the SSL server
>> certificate, though from what I can see it's not getting that far. Is
>> the supplicant configured to do EAP-TLS?
>
> I'm returning these because, as above, I want to use the same
> credentials as those that I use for logging into my cisco routers, and I
> want to pass those attributes when I log into a router. It's true they
> could be confusing things for the AP, but is there a way to not return
> them when the auth type is detected as EAP? Or do I have to use a
> completely different set of credentials?
>
>> It's apparent you've done a serious amount of fiddling with the default
>> configs. I suggest doing a default/clean install, and starting from the
>> most basic - a user in the "users" file:
>>
>> username Cleartext-Password := "foobar"
>>
>> Check if they can authenticate. Then setup the sql module, put the above
>> AND ONLY THE ABOVE entries in the database, and test again. Making once
>> change at a time will allow you to pin down the problem; at the moment,
>> there are lots of things it *could* be.
>
> I will do this.
>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context: http://www.nabble.com/Freeradius-doesn%27t-detect-EAP-when-authenticating-against-MySQL-tf4404187.html#a13350099
Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I do not understand, should the Windows XP's supplicant encrypt password prior to sending, or does it send it in cleartext and the radius encrypts
the windows supplicant? err, it doesnt send the password in any sane way. you need to either set up an MSCHAPv2 challenge response system or put a copy of the NT hash into the check item. alan
preem wrote:
I have a simillar problem with EAP-MD5 authenticating against MySQL DataBase.
Whatever i do, it won't accept password, which is stored in the MySQL db using MD5('') function. However, if i send a password's hash as password it accepts it, which indicates something is not hashing password before comparing to the hash in the db.
EAP-MD5 requires access to the clear-text password. MD5 hashed passwords are not appropriate. http://deployingradius.com/documents/protocols/compatibility.html
I do not understand, should the Windows XP's supplicant encrypt password prior to sending, or does it send it in cleartext and the radius encrypts before comparing?
There is no encryption of the password. It is hashed. The details aren't important. Read the above web page for compatibility issues. Alan DeKok.
Ah yes, that explains it, thanks Alan. So, what is a common practice to do this then? I understand its not very safe nor sane to store passwords in clear text, thats why I wanted to avoid that, however it seems inevitable. Let me explain a little better what I'm trying to do: I am managing a wired network for some 300 users, its a student dorm and the university owns the network and they require authentication for the ease of management and control. 802.1x felt like the right way to go, because we are planning some wireless access points as well. There are HP's Procurve 2650 switches in use. I choose mysql db backend, because I also created set of PHP scripts, where users can change their passwords and admin can add/del/modify user info. So what can one do to avoid storing passes in clear text or is it sane enough? The server also serves some web pages and dhcp requests. Thanks for information. Alan DeKok-4 wrote:
preem wrote:
I have a simillar problem with EAP-MD5 authenticating against MySQL DataBase.
Whatever i do, it won't accept password, which is stored in the MySQL db using MD5('') function. However, if i send a password's hash as password it accepts it, which indicates something is not hashing password before comparing to the hash in the db.
EAP-MD5 requires access to the clear-text password. MD5 hashed passwords are not appropriate.
http://deployingradius.com/documents/protocols/compatibility.html
I do not understand, should the Windows XP's supplicant encrypt password prior to sending, or does it send it in cleartext and the radius encrypts before comparing?
There is no encryption of the password. It is hashed. The details aren't important. Read the above web page for compatibility issues.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Freeradius-doesn%27t-detect-EAP-when-authenticating-ag... Sent from the FreeRadius - User mailing list archive at Nabble.com.
preem wrote:
So, what is a common practice to do this then?
It's not. People store MD5 or crypt'd passwords when the ONLY authentication they're doing is PAP. i.e. Unix logins, where the user supplies a clear-text password to the authentication system. For many EAP types, people do NOT store MD5 or crypt'd passwords, because they're useless.
I understand its not very safe nor sane to store passwords in clear text, thats why I wanted to avoid that, however it seems inevitable.
It is safe, sane, and common practice to store passwords in clear text.
I am managing a wired network for some 300 users, its a student dorm and the university owns the network and they require authentication for the ease of management and control. 802.1x felt like the right way to go, because we are planning some wireless access points as well. There are HP's Procurve 2650 switches in use. I choose mysql db backend, because I also created set of PHP scripts, where users can change their passwords and admin can add/del/modify user info. So what can one do to avoid storing passes in clear text or is it sane enough? The server also serves some web pages and dhcp requests.
Ensure that no one has physical access to the system storing the passwords. Ensure that no one has network access to the system storing the passwords. I would also suggest running the RADIUS server and/or the MySQL server with passwords on a separate machine from the web/dhcp server. That way, if someone breaks into the web server, they won't have access to the passwords. Alan DeKok.
On 10/23/07, Alan DeKok <aland@deployingradius.com> wrote:
preem wrote:
So, what is a common practice to do this then?
It's not.
People store MD5 or crypt'd passwords when the ONLY authentication they're doing is PAP. i.e. Unix logins, where the user supplies a clear-text password to the authentication system.
And PAP is not very safe and smart way to go as i read it. For many EAP types, people do NOT store MD5 or crypt'd passwords,
because they're useless.
So, crypted passwords are usefull only in web applications? I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps.
I understand its not very
safe nor sane to store passwords in clear text, thats why I wanted to avoid that, however it seems inevitable.
It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the matter.
I am managing a wired network for some 300 users, its a student dorm and the
university owns the network and they require authentication for the ease of management and control. 802.1x felt like the right way to go, because we are planning some wireless access points as well. There are HP's Procurve 2650 switches in use. I choose mysql db backend, because I also created set of PHP scripts, where users can change their passwords and admin can add/del/modify user info. So what can one do to avoid storing passes in clear text or is it sane enough? The server also serves some web pages and dhcp requests.
Ensure that no one has physical access to the system storing the passwords. Ensure that no one has network access to the system storing the passwords.
That will be no problem, since I'm the only one with physical access. I would also suggest running the RADIUS server and/or the MySQL server
with passwords on a separate machine from the web/dhcp server. That way, if someone breaks into the web server, they won't have access to the passwords.
I am using VMWare server, so that won't require much work. Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks again, for clearing this up. primski
primoz wrote:
And PAP is not very safe and smart way to go as i read it.
PAP is fine for RADIUS.
So, crypted passwords are usefull only in web applications?
That's not at all what I said. I specifically mentioned Unix logins. Crypt'd passwords are useful only for PAP. There are many, many, kinds of systems using clear-text passwords (i.e. PAP) for authentication.
I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps.
No. It's written by people who either don't understand security, OR aren't using EAP methods. Again, if all you're doing is PAP, then crypt'd passwords are OK. If you need EAP, you also need clear-text passwords. Stop trying to apply comments from web application "how-to's" to RADIUS. They're not the same, and the security analysis is not the same.
It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the matter.
Then why are you questioning the answers you get here? Alan DeKok.
Aah, i like the reverse psyhology approach here, but I'm just trying to gather information and knowledge from different sources. Sorry for my newbiness, will dive into the documentation and decide whether to use PAP or store passwords in clear text. EAP_TTLS would work, but windows XP client doesn't support it, and i would like to avoid installing extra supplicant. thanks for everybody's time... greetz, primski On 10/23/07, Alan DeKok <aland@deployingradius.com> wrote:
primoz wrote:
And PAP is not very safe and smart way to go as i read it.
PAP is fine for RADIUS.
So, crypted passwords are usefull only in web applications?
That's not at all what I said. I specifically mentioned Unix logins. Crypt'd passwords are useful only for PAP. There are many, many, kinds of systems using clear-text passwords (i.e. PAP) for authentication.
I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps.
No. It's written by people who either don't understand security, OR aren't using EAP methods. Again, if all you're doing is PAP, then crypt'd passwords are OK. If you need EAP, you also need clear-text passwords.
Stop trying to apply comments from web application "how-to's" to RADIUS. They're not the same, and the security analysis is not the same.
It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the matter.
Then why are you questioning the answers you get here?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
primoz wrote:
Aah, i like the reverse psyhology approach here, but I'm just trying to gather information and knowledge from different sources.
Q: Hi, how does RADIUS work? A: here's how... Q: But web works differently... A: So? Q: Why are you so mean? A: <sigh>
Sorry for my newbiness, will dive into the documentation and decide whether to use PAP or store passwords in clear text.
Once you decide which authentication mechanism to use, the choice of storing passwords MUST be taken from the web page I showed you. i.e. you DO NOT have a choice as to how to store passwords. You MUST pick one of the available options. Picking any other option means that your selected authentication method WILL NOT WORK.
EAP_TTLS would work, but windows XP client doesn't support it, and i would like to avoid installing extra supplicant.
So... read the web page. Decide if it's OK for you to store passwords in one of the approved formats. If not, decide that it's OK for you to NOT use that authentication mechanism. It's not hard. It doesn't require reading massive documentation or how-to's. It involves reading what's possible, believing it, and making a choice from the possible alternatives. You can then move on, and devote time and effort to understanding complicated problems. Don't waste time trying to figure out EAP/password compatibility when there's a web page giving you ALL the answers. Alan DeKok.
Andrew Rowson wrote:
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log
The output is a LOT shorter than your tests with the previous version.
I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db?
No, but something is forcing Auth-Type := Local. It's either in the SQL DB, or line 155 of the "users" file. Fix that. Alan DeKok.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Andrew Rowson -
Phil Mayers -
preem -
primoz -
tnt@kalik.co.yu