Freeradius + OpenLDAP - user password problem
Hello, as you can see, i must be pretty desperate to register somewhere so i can ask for help. Anyway, the situation is: i recently set up a freeradius server with openldap for auth., everything seemed to work great (radtest returns access-accept ), until i tried to login via notebook and Linksys router (with dd-wrt firmware). Linksys is properly configured, i believe. On laptop i have chosen WPA 2 security using ms-chap, and when i try to connect, access-request packet doesn't contain attribute user-password! I am really stuck here, have no idea what to do so any help would be really apprechiated. If you need additional info i will be glad to asisst (e.g. post debug output or something). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
OK, i guess, i should paste that anyway, so here it is, hope it helps: rad_recv: Access-Request packet from host 192.168.1.1:2051, id=0, length=121 User-Name = "root" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6016815" Calling-Station-Id = "00130237d9db" NAS-Identifier = "0016b6016815" NAS-Port = 53 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000901726f6f74 Message-Authenticator = 0x4ec4b4b08fe410e47f6c233f47b4dbb0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "root", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.1:2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 44c9f898 Nothing to do. Sleeping until we see a request. ############################################### -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
And here is the example of sucessful logon with radtest: radtest bbb badblueboy 192.168.1.129 1 testing123 rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191, length=55 User-Name = "bbb" User-Password = "badblueboy" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_ldap: - authenticate rlm_ldap: login attempt by "bbb" with password "badblueboy" radius_xlat: '(uid=bbb)' radius_xlat: 'ou=People,dc=BLah,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter (uid=bbb) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user bbb authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 5 modcall: group Auth-Type returns ok for request 5 Sending Access-Accept of id 191 to 192.168.1.129:35640 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 191 with timestamp 44c9f995 Nothing to do. Sleeping until we see a request. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
freeradius-users-bounces+christian=poessinger.com@lists.freeradius.org wrote:
And here is the example of sucessful logon with radtest:
radtest bbb badblueboy 192.168.1.129 1 testing123
rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191, length=55 User-Name = "bbb" User-Password = "badblueboy" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_ldap: - authenticate rlm_ldap: login attempt by "bbb" with password "badblueboy" radius_xlat: '(uid=bbb)' radius_xlat: 'ou=People,dc=BLah,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter (uid=bbb) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user bbb authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 5 modcall: group Auth-Type returns ok for request 5 Sending Access-Accept of id 191 to 192.168.1.129:35640 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 191 with timestamp 44c9f995 Nothing to do. Sleeping until we see a request.
You took a look at the ldap.attrmap file? Add those two lines: checkItem User-Password userPassword checkItem userPassword lmPassword -CP
Stuckzor <lutemberg@gmail.com> wrote:
Hello, as you can see, i must be pretty desperate to register somewhere so i can ask for help. Anyway, the situation is: i recently set up a freeradius server with openldap for auth., everything seemed to work great (radtest returns access-accept ), until i tried to login via notebook and Linksys router (with dd-wrt firmware).
The debug log you posted hows that you set "Auth-Type := LDAP". Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
2006/7/28, Alan DeKok <aland@deployingradius.com>:
Stuckzor <lutemberg@gmail.com> wrote:
Hello, as you can see, i must be pretty desperate to register somewhere so i can ask for help. Anyway, the situation is: i recently set up a freeradius server with openldap for auth., everything seemed to work great (radtest returns access-accept ), until i tried to login via notebook and Linksys router (with dd-wrt firmware).
The debug log you posted hows that you set "Auth-Type := LDAP".
Don't do that.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oh, thank you, and yes, i have set "Auth-Type := LDAP" in users.conf file. Will try to change it to something that works on Monday.
Ok, i'm back on this case. I didn't have time to work on it past few days.
The debug log you posted hows that you set "Auth-Type := LDAP".
Don't do that.
Alan DeKok.
I have that set in users file: ------------------------------------------------------ DEFAULT Auth-Type := LDAP Fall-Through = 1 ----------------------------------------------------- And i'm pretty sure, that is okay, if i comment it out i don't get access-accept even with radtest if i use ldap password, which makes sense. So, why do you think this is the cause of my problem and how could i fix it?
I said:
The debug log you posted hows that you set "Auth-Type := LDAP".
Don't do that.
To which you responded:
I have that set in users file: ------------------------------------------------------ DEFAULT Auth-Type := LDAP Fall-Through = 1 -----------------------------------------------------
And i'm pretty sure, that is okay
To which I respond again: No, it's not. Honestly, if you know better than the people here about what's OK and what's not, why are you asking questions on this list?
if i comment it out i don't get access-accept even with radtest if i use ldap password, which makes sense. So, why do you think this is the cause of my problem and how could i fix it?
You're not following instructions. Please search the list archives for the answer to your question. It's there. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Tillen, Although I'm no expert, I do have a working FreeRadius+LDAP set-up, so I can tell you what works for me. Tilen wrote:
I have that set in users file: ------------------------------------------------------ DEFAULT Auth-Type := LDAP Fall-Through = 1 -----------------------------------------------------
My users file says: DEFAULT Auth-Type := LDAP Fall-Through = Yes However, in my LDAP directory, it looks a little different: dn: uid=user1,ou=Users,ou=radius,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: radiusprofile radiusAuthType: Local radiusServiceType: Framed-User uid: user1 cn: user1 sn: user1 radiusFramedIPAddress: y.y.y.y radiusAcctInterimInterval: 60 radiusTunnelServerEndpoint: x.x.x.x dialupAccess: true As you can see, AuthType is set to Local in LDAP. I don't know if this is the recommended way to do this, but it work for me :-) Regards, John
John McEleney <john+freeradius@netservers.co.uk> wrote:
As you can see, AuthType is set to Local in LDAP. I don't know if this is the recommended way to do this, but it work for me :-)
If all you do is PAP authentication. And if you have "ldap" listed in the "authorise" section, the module takes care of setting "Auth-Type = LDAP". i.e. you could delete that entry from the "users" file and nothing would change. Try it. The original post that started this was using EAP. LDAP doesn't do EAP, hence the problem. PLEASE don't tell people to set Auth-Type. It's not needed for your deployment, and it breaks most other peoples deployments. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Ok, let me try to get that straight - i can't use ldap in authorization section of radiusd.conf (or in users file) and connect to radius with WinXP client. But i can use something else instead and still connect to radius with ldap accounts, right? John wrote:
However, in my LDAP directory, it looks a little different: dn: uid=user1,ou=Users,ou=radius>>dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: radiusprofile radiusAuthType: Local radiusServiceType: Framed-User uid: user1 cn: user1 sn: user1 radiusFramedIPAddress: y.y.y.y radiusAcctInterimInterval: 60 radiusTunnelServerEndpoint: x.x.x.x dialupAccess: true
As you can see, AuthType is set to Local in LDAP. I don't know if this is the recommended way to do this, but it work for me :-)
Is that .ldif file for your ldap users? If it is, it has way more lines than mine and doesn't have password.
Tilen wrote:
Ok, let me try to get that straight - i can't use ldap in authorization section of radiusd.conf (or in users file) and connect to radius with WinXP client. But i can use something else instead and still connect to radius with ldap accounts, right?
Wrong. You're very confused about how this work. Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless auth. Unless your LDAP directory contains the plaintext password or the NT hash, what you want to do is impossible. If it does contain the plaintext or NT hashes, correct configuration will make it work. Does it? Also, you've failed to register this several times, but I'll repeat it. DO NOT SET Auth-Type. At all. To anything. In common use, there's no need to set it, and in fact it can actively break things.
Phil Mayers wrote:
Wrong. You're very confused about how this work.
Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless auth.
Unless your LDAP directory contains the plaintext password or the NT hash, what you want to do is impossible. If it does contain the plaintext or NT hashes, correct configuration will make it work. Does it?
Also, you've failed to register this several times, but I'll repeat it. DO NOT SET Auth-Type. At all. To anything. In common use, there's no need to set it, and in fact it can actively break things.
Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :) -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
Stuckzor wrote:
Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :)
Unless the wireless hardware is very broken (assuming you mean APs and so forth) it won't care. The main issue is software support. EAP-PEAP+MS-CHAP is generally considered to be the most widely supported. It works on WinXP, MacOS X and with Linux wpa_supplicant/NetworkManager, most PDAs and so forth. EAP-TLS is about as well supported, but has much higher administrative overhead since you have to generate and distribute certificates. All the other EAP mechanisms require special software on windows, which is obviously effort to distribute, install and configure. If you are willing to go to that effort, Secure_W2 offers EAP-TTLS+PAP which will work with any auth database. If you have the choice, I would recommend going with plaintext or NT-hashed passwords and EAP-PEAP+MS-CHAP
Okey i tried some things out and noticed, that what John pasted definitly isn't .ldif file. And if i set Auth-Type to LDAP in users file or if i uncomment it in authorize section of radiusd.conf --> isn't the same! If i set ldap in radiusd.conf i get "rlm_ldap: no dialupAccess attribute - access denied by default" with radtest. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
Hi Can someone help me to get the erx vsa attributtes into the mysql. As I can see they are processed correctly, but the sql statement is empty for this part. Regards Martin Ovenstone relevant VSAs ERX-Input-Gigapkts = 2 ERX-Output-Gigapkts = 1 ERX-Pppoe-Description = "pppoe 00:12:59:12:90:4e" ERX-Ingress-Policy-Name = "L2TP50" == conf.sql .... accounting_stop_query = "INSERT into ${acct_table2} (AcctStatusType, UserName, EventTimestamp, AcctDelayTime, NASIdentifier, AcctSessionId, NASIPAddress, Class, ServiceType, FramedProtocol, FramedCompression, CallingStationId, AcctTunnelConnection, AcctInputGigawords, AcctInputOctets, AcctOutputGigawords, AcctOutputOctets, AcctInputPackets, AcctOutputPackets, ConnectInfo, NASPortType, NASPort, NASPortId, AcctSessionTime, AcctTerminateCause, AcctAuthentic, TunnelType, TunnelPreference, TunnelMediumType, TunnelClientEndpoint, TunnelClientAuthId, TunnelServerEndpoint, TunnelServerAuthId, TunnelAssignmentId, AcctInputGigapackets, AcctOutputGigapackets, PppoeDescription, IngressPolicyName ) values( '%{Acct-Status-Type}', '%{User-Name}', '%{Event-Timestamp}', '%{Acct-Delay-Time}', '%{NAS-Identifier}', '%{Acct-Session-Id}', '%{NAS-IP-Address}', '%{Class}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-Compression}', '%{Calling-Station-Id}', '%{Acct-Tunnel-Connection}', '%{Acct-Input-Gigawords}', '%{Acct-Input-Octets}', '%{Acct-Output-Gigawords}', '%{Acct-Output-Octets}', '%{Acct-Input-Packets}', '%{Acct-Output-Packets}', '%{Connect-Info}', '%{NAS-Port-Type}', '%{NAS-Port}', '%{NAS-Port-Id}', '%{Acct-Session-Time}', '%{Acct-Terminate-Cause}', '%{Acct-Authentic}', '%{Tunnel-Type}', '%{Tunnel-Preference}', '%{Tunnel-Medium-Type}', '%{Tunnel-Client-Endpoint}', '%{Tunnel-Client-Auth-Id}', '%{Tunnel-Server-Endpoint}', '%{Tunnel-Server-Auth-Id}', '%{Tunnel-Assignment-Id}', '%{request:Acct-Input-Gigapackets}', '%{request:Acct-Output-Gigapackets}', '%{request:Pppoe-Description}', '%{request:Ingress-Policy-Name}')" ... === Output of radiusd -X ...... rad_recv: Accounting-Request packet from host 192.168.1.35:49273, id=141, length=453 Acct-Status-Type = Stop User-Name = "testuser@mydomain.net" Event-Timestamp = "Jun 28 2006 00:00:00 CEST" Acct-Delay-Time = 0 NAS-Identifier = "nasxyz" Acct-Session-Id = "erx atm 13/0.1123433234:11.3602:0030292668" NAS-IP-Address = 192.168.21.33 Class = 0x746573745f636c6173735f303031 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = None Calling-Station-Id = "#nasxyz#A130#11#3602" Acct-Tunnel-Connection = "0005681578" Acct-Input-Gigawords = 2 Acct-Input-Octets = 703351 Acct-Output-Gigawords = 1 Acct-Output-Octets = 7489000 Acct-Input-Packets = 177814 Acct-Output-Packets = 178321 Connect-Info = "speed:UBR:1536" NAS-Port-Type = xDSL NAS-Port = 3490385426 NAS-Port-Id = "atm 13/0.1123433234:11.3602" Acct-Session-Time = 72024 Acct-Terminate-Cause = NAS-Request Acct-Authentic = RADIUS Tunnel-Type:0 = L2TP Tunnel-Preference:0 = 1 Tunnel-Medium-Type:0 = IP Tunnel-Client-Endpoint:0 = "192.168.25.33" Tunnel-Client-Auth-Id:0 = "nasxyz" Tunnel-Server-Endpoint:0 = "192.168.254.106" Tunnel-Server-Auth-Id:0 = "lau01a03" Tunnel-Assignment-Id:0 = "mydomain.net_106" ERX-Input-Gigapkts = 2 ERX-Output-Gigapkts = 1 ERX-Pppoe-Description = "pppoe 00:13:49:42:90:4e" ERX-Ingress-Policy-Name = "L2TP50" Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module "preprocess" returns noop for request 0 rlm_acct_unique: Hashing 'NAS-Port = 3490385426,Client-IP-Address = 192.168.1.35,NAS-IP-Address = 192.168.21.33,Acct-Session-Id = "erx atm 13/0.1123433234:11.3602:0030292668",User-Name = "testuser@mydomain.net"' rlm_acct_unique: Acct-Unique-Session-ID = "8c41e765ee42c86a". modcall[preacct]: module "acct_unique" returns ok for request 0 rlm_realm: Looking up realm "mydomain.net" for User-Name = "testuser@mydomain.net" rlm_realm: No such realm "mydomain.net" modcall[preacct]: module "suffix" returns noop for request 0 modcall[preacct]: module "files" returns noop for request 0 modcall: leaving group preacct (returns ok) for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.35/detail-20060803' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.35/detail-20060803 modcall[accounting]: module "detail" returns ok for request 0 modcall[accounting]: module "unix" returns ok for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'testuser@mydomain.net' rlm_radutmp: Logout for NAS 192.168.21.33 port 3490385426, but no Login record modcall[accounting]: module "radutmp" returns ok for request 0 radius_xlat: 'testuser@mydomain.net' rlm_sql (sql): sql_set_user escaped user --> 'testuser@mydomain.net' radius_xlat: 'INSERT into radacct_2 (AcctStatusType, UserName, EventTimestamp, AcctDelayTime, NASIdentifier, AcctSessionId, NASIPAddress, Class, ServiceType, FramedProtocol, FramedCompression, CallingStationId, AcctTunnelConnection, AcctInputGigawords, AcctInputOctets, AcctOutputGigawords, AcctOutputOctets, AcctInputPackets, AcctOutputPackets, ConnectInfo, NASPortType, NASPort, NASPortId, AcctSessionTime, AcctTerminateCause, AcctAuthentic, TunnelType, TunnelPreference, TunnelMediumType, TunnelClientEndpoint, TunnelClientAuthId, TunnelServerEndpoint, TunnelServerAuthId, TunnelAssignmentId, AcctInputGigapackets, AcctOutputGigapackets, PppoeDescription, IngressPolicyName ) values( 'Stop', 'testuser@mydomain.net', 'Jun 28 2006 00:00:00 CEST', '0', 'nasxyz', 'erx atm 13/0.1123433234:11.3602:0030292668', '192.168.21.33', '0x746573745f636c6173735f303031', 'Framed-User', 'PPP', 'None', '=23nasxyz=23A130=2311=233602', '0005681578', '2', '703351', '1', '7489000', '177814', '178321', 'speed:UBR:1536', 'xDSL', '3490385426', 'atm 13/0.1123433234:11.3602', '72024', 'NAS-Request', 'RADIUS', 'L2TP', '1', 'IP', '192.168.25.33', 'nasxyz', '192.168.254.106', 'lau01a03', 'mydomain.net_106', '', '', '', '')' radius_xlat: '/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: INSERT into radacct_2 (AcctStatusType, UserName, EventTimestamp, AcctDelayTime, NASIdentifier, AcctSessionId, NASIPAddress, Class, ServiceType, FramedProtocol, FramedCompression, CallingStationId, AcctTunnelConnection, AcctInputGigawords, AcctInputOctets, AcctOutputGigawords, AcctOutputOctets, AcctInputPackets, AcctOutputPackets, ConnectInfo, NASPortType, NASPort, NASPortId, AcctSessionTime, AcctTerminateCause, AcctAuthentic, TunnelType, TunnelPreference, TunnelMediumType, TunnelClientEndpoint, TunnelClientAuthId, TunnelServerEndpoint, TunnelServerAuthId, TunnelAssignmentId, AcctInputGigapackets, AcctOutputGigapackets, PppoeDescription, IngressPolicyName ) values( 'Stop', 'testuser@mydomain.net', 'Jun 28 2006 00:00:00 CEST', '0', 'nasxyz', 'erx atm 13/0.1123433234:11.3602:0030292668', '192.168.21.33', '0x746573745f636c6173735f303031', 'Framed-User', 'PPP', 'None', '=23nasxyz=23A130=2311=233602', '0005681578', '2', '703351', '1', '7489000', '177814', '178321', 'speed:UBR:1536', 'xDSL', '3490385426', 'atm 13/0.1123433234:11.3602', '72024', 'NAS-Request', 'RADIUS', 'L2TP', '1', 'IP', '192.168.25.33', 'nasxyz', '192.168.254.106', 'lau01a03', 'mydomain.net_106', '', '', '', '') rlm_sql (sql): Released sql socket id: 0 modcall[accounting]: module "sql" returns ok for request 0 modcall: leaving group accounting (returns ok) for request 0 Sending Accounting-Response of id 141 to 192.168.1.35 port 49273
Martin Ovenstone <ovenstone@bluewin.ch> wrote:
Can someone help me to get the erx vsa attributtes into the mysql. As I can see they are processed correctly, but the sql statement is empty for this part.
The SQL statement you posted doesn't reference ERX anywhere in it. Therefore, they won't go into the DB.
ERX-Pppoe-Description = "pppoe 00:12:59:12:90:4e" ERX-Ingress-Policy-Name = "L2TP50"
...
'%{request:Acct-Output-Gigapackets}', '%{request:Pppoe-Description}', '%{request:Ingress-Policy-Name}')"
You don't need the "request:" there. And you *do* want to use the same names here as shown in debug mode, for the packet contents. i.e. There is no "Ingress-Policy-Name" in the request. There IS "ERX-Ingress-Policy-Name", but you're not referring to it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan Thanks very much, it is working fine now. Martin
Martin Ovenstone <ovenstone@bluewin.ch> wrote:
Can someone help me to get the erx vsa attributtes into the mysql. As I can see they are processed correctly, but the sql statement is empty for this part.
The SQL statement you posted doesn't reference ERX anywhere in it. Therefore, they won't go into the DB.
ERX-Pppoe-Description = "pppoe 00:12:59:12:90:4e" ERX-Ingress-Policy-Name = "L2TP50"
...
'%{request:Acct-Output-Gigapackets}', '%{request:Pppoe-Description}', '%{request:Ingress-Policy-Name}')"
You don't need the "request:" there. And you *do* want to use the same names here as shown in debug mode, for the packet contents.
i.e. There is no "Ingress-Policy-Name" in the request. There IS "ERX-Ingress-Policy-Name", but you're not referring to it.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you again, you were very helpful, but still i have issues. That's bugging me: Only under these circumstances: 1.)I have ldap in authenticate section 2.)AUTH-TYPE set ot LDAP in users fileand 3.)MUST NOT have ldap under authorize section of radiusd.conf. Only with this config i get access-accept with radtest (i tried all possible combinations of those 3). I get this message otherwise: "rlm_ldap: no dialupAccess attribute - access denied by default" And with my "working" config i get already mentioned userPassword attribute error. So, i'm afraid i don't even get so far, to have problems with password encription. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
On 8/3/06, Stuckzor <lutemberg@gmail.com> wrote:
1.)I have ldap in authenticate section 2.)AUTH-TYPE set ot LDAP in users fileand 3.)MUST NOT have ldap under authorize section of radiusd.conf.
Only with this config i get access-accept with radtest (i tried all possible combinations of those 3). I get this message otherwise:
"rlm_ldap: no dialupAccess attribute - access denied by default"
And with my "working" config i get already mentioned userPassword attribute error. So, i'm afraid i don't even get so far, to have problems with password encription.
Hi, OK, I'll give it a try. 1. Going far back in this thread, you said something about using EAP-PEAP/MSCHAP. Therefore you are _required_ to have the cleartext password in LDAP or in the alternative an equivalent hash (nt/lm) if you want to use that. If so, configure your ldap instance in radius.conf accordingly AND include it in authorize{}. This was pointed out often enough one might think (and from people who really know, because they wrote the software you are trying to use). Then there will be no need for explicit setting of Auth-Type. It has been said. 2. Even if you tried something else (EAP-TTLS for example) you were already told how to proceed and how that relates to the need for cleartext passwords. Even then there is no need for setting Auth-Type manually. 3. If you insist on setting Auth-Type nevertheless, you will break other things you obviously don't know about. There is plenty of (perhaps even a bit too overwhelming) documentation on freeradius.org, in the tarball, in the example configuration, this very list, etctetc. Believe its contents. If you think their is a fault and you are wiser show that precisely (NOT by reasoning in generalities stemming from false assumptions on your side). 4. Whatever you test with radtest does not relate to EAP-PEAP/MSCHAP. Please restart your efforts with unchanged default configuration files. Alter them step-by-step according to the information you were already given. And, sorry, don't whip a dead horse, again, by setting Auth-Type. regards K. Hoercher
Thanks to you too. I noticed some people feel offended by my attitude, so let me apologize - i don't mean to be a smartass, and i definetly don't have any doubts in your knowledge, but i'm a young computer engineer (first months of work) and when things get hard for me i can get a little pushy while trying to solve them. Now i configured radius to use EAP-PEAP and i tought i have only 1 step left to take - make OpenLDAP use NT hash passwords (already know how to do that), but damn, that "no dialup access attribute" error strikes again with radtest:( If even radtest doesn't get through (though it doesn't use eap) there is no chance a real client would, eh? And i ask again - is it normal, that i don't get access-accept with radtest without setting auth-type to ldap and can i simply ignore that(i get that dialup access attribute error), or should i get access-accept with radtest without setting auth-type to ldap? That's what i wanted to know in one of my previous posts. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
Stuckzor <lutemberg@gmail.com> wrote:
Now i configured radius to use EAP-PEAP and i tought i have only 1 step left to take - make OpenLDAP use NT hash passwords (already know how to do that), but damn, that "no dialup access attribute" error strikes again with radtest:(
From the "ldap" section of radiusd.conf: access_attr = "dialupAccess" Comment that out, and it won't check for dial-up access permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Still doesn't work. I tried yesterday on new machine, i set up everything and configure eap.conf to use peap. I set up server certificates and CA. When i try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client certificate for peap, i'm pretty confused (again :D). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014... Sent from the FreeRadius - User forum at Nabble.com.
On 8/22/06, Stuckzor <lutemberg@gmail.com> wrote:
try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client
Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is unneeded as you already noted). If so, it' s not an "error" with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher
On 8/22/06, Stuckzor <lutemberg@gmail.com> wrote:
try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client
Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is possible but unneeded as you already noted). If so, it' s not an "error" with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher
Stuckzor <lutemberg@gmail.com> wrote:
Still doesn't work. I tried yesterday on new machine, i set up everything and configure eap.conf to use peap. I set up server certificates and CA. When i try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client certificate for peap, i'm pretty confused (again :D).
While that message is annoying, it's not important. What response did the server send? Access-Accept? Access-Reject? Read the WHOLE debug log to see what's going on. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I get Access-Reject, whole debug log is here: rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=236 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 State = 0xfbfc085c4b8a5b1973ea7d92703b0061 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006a198000000060160301005b01000057030144ec0618e33d04cad22340edcd83b5b8a5aa6be4a035146cfe433178e4e054a100003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0x11f7f2a8e75c95f1e0e284a7dfd86163 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 1 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 031d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 192.168.1.1:3072 EAP-Message = 0x010203801900160301004a02000046030144ec0617ad338f7b43db504027f5cb34fe48656cf6713337665d0e235bc61dde201783bdc208cdc4349989ca629b9d754dd1a4f17e1855d2fba8c00b4b7dbe5537003500160301031d0b0003190003160003133082030f30820278a003020102020102300d06092a864886f70d01010405003056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579301e170d3036303832313134303731395a170d3037303832313134303731395a305e EAP-Message = 0x310b30090603550406130253493110300e06035504081307506f6d75726a653117301506035504070c0e4d757264736b7f7f1b5b441b5b4431163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a06035504031303626c6130819f300d06092a864886f70d010101050003818d0030818902818100b2f4bc83918aa62084cd46a33410a0d63ee1f94f9a58f365bd098cb5dc2241cc453055c26284969ea573f5a43aaaec74da7c00d56651fc15cdcddd68d208a01396d98cd70a81b57ec0814e8089045187c625b2a78a7e9c70c77e4968935a1aa733933959fc003b02738dbcca20ef62d0899c42fba7ba5b2988efca5bb7f989030203 EAP-Message = 0x010001a381e43081e130090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414b527b4b72fb126f870699a8fa890b0fc3240f1d53081860603551d23047f307d8014e77015f7708c5f78601009f9db74ff8001a0515aa15aa4583056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579820900d29d80bb0e169c12300d06092a864886f70d010104050003818100 EAP-Message = 0x3a6b3a362928faf1324f11e2202b1b32cb9d12d8e91726c8124c4e9e1a2c43ad421889195c0259f4bdb0aa05f07eb4ac1c1ac549a72d3a80a4939e9f2dcc9c7f0952da152dea01582401cab1daa39ab88f8a7d798a00342d11d73e6ec25852c6f95ef91244f31e385ad9806f6de6eae7577a9da564622aaa69bb75c1ff941e3316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78d2170e45bcb6eac38f66525f681d9e Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 State = 0x78d2170e45bcb6eac38f66525f681d9e Message-Authenticator = 0x90ba3baf012b7509c5c4c985a5452b26 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 2 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 3239:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3239:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user.
<sigh> On 8/23/06, Tilen <lutemberg@gmail.com> wrote:
I get Access-Reject, whole debug log is here:
That is obviously a false statement. While eventually not decisive, the output from startup is missing. Some Requests prior to #4 are missing, which might already be more interesting. Finally you seem to have edited the output in an ill-advised manner here: [...]
rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test"
NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 State = 0x78d2170e45bcb6eac38f66525f681d9e Message-Authenticator = 0x90ba3baf012b7509c5c4c985a5452b26
Message-Authenticator is misaligned and EAP-Message is missing, which is definetly prohibiting the checking against the behaviour further down (which does indeed look peculiar, and is not the standard openssl error one would have guest from your previous truncations).
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 3239:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3239:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13
_Again_ please see to provide details as has been requested numerous times. Some sniffing on the radius server might be helpful here too. I'll refrain from looking into that as long as I have to play some sort of detective to even get to know what is going on on your installation. regards K. Hoercher
Requests prior to #4 are missing becouse i tried to connect multiple times, and i didn't want to paste same thing twice. Then everything got corrupted, becouse i had to paste it by pieces in the gmail and it really got messed up. So here is the example of full (pasted with care :p) radius log: [root@localhost ~]# radiusd -X
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/CERTS/newreq.pem" tls: certificate_file = "/etc/raddb/CERTS/newcert.pem" tls: CA_file = "/etc/raddb/CERTS/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=People,dc=kapion,dc=si" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x93aaa60 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000090174657374 Message-Authenticator = 0x7bd298f2cd1e4f1a515edb3e4bf2d170 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.1:3072 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdeb1fb6f76fc0f4dcbfaeb651058ed50 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=236 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 State = 0xdeb1fb6f76fc0f4dcbfaeb651058ed50 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006a198000000060160301005b01000057030144f428898159c87ecfda11e74e4d12a0a37049a2cb602d3567de15b871df27b100003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0x218d574c42fcb788728fb04361b25353 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 031d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 192.168.1.1:3072 EAP-Message = 0x010203801900160301004a02000046030144f42886c94dbaa3c4852b1cfbacebe6d7c777c2a3cbebbad245e1e9e73859c2203966eeff74f4a191e3147316d5a03a7e20d688979457c02dc2fd8adac12a659f003500160301031d0b0003190003160003133082030f30820278a003020102020102300d06092a864886f70d01010405003056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579301e170d3036303832313134303731395a170d3037303832313134303731395a305e EAP-Message = 0x310b30090603550406130253493110300e06035504081307506f6d75726a653117301506035504070c0e4d757264736b7f7f1b5b441b5b4431163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a06035504031303626c6130819f300d06092a864886f70d010101050003818d0030818902818100b2f4bc83918aa62084cd46a33410a0d63ee1f94f9a58f365bd098cb5dc2241cc453055c26284969ea573f5a43aaaec74da7c00d56651fc15cdcddd68d208a01396d98cd70a81b57ec0814e8089045187c625b2a78a7e9c70c77e4968935a1aa733933959fc003b02738dbcca20ef62d0899c42fba7ba5b2988efca5bb7f989030203 EAP-Message = 0x010001a381e43081e130090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414b527b4b72fb126f870699a8fa890b0fc3240f1d53081860603551d23047f307d8014e77015f7708c5f78601009f9db74ff8001a0515aa15aa4583056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579820900d29d80bb0e169c12300d06092a864886f70d010104050003818100 EAP-Message = 0x3a6b3a362928faf1324f11e2202b1b32cb9d12d8e91726c8124c4e9e1a2c43ad421889195c0259f4bdb0aa05f07eb4ac1c1ac549a72d3a80a4939e9f2dcc9c7f0952da152dea01582401cab1daa39ab88f8a7d798a00342d11d73e6ec25852c6f95ef91244f31e385ad9806f6de6eae7577a9da564622aaa69bb75c1ff941e3316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123b5c7e213692f7121dbe4052274024 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 State = 0x123b5c7e213692f7121dbe4052274024 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202001119800000000715030100020230 Message-Authenticator = 0xd65ea4a0e55f28c1e76a6b51f9ec9467 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 3447:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3447:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 2 modcall: group authenticate returns reject for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.1:3072 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 2 ID 0 with timestamp 44f42886 Nothing to do. Sleeping until we see a request.
On 8/29/06, Tilen <lutemberg@gmail.com> wrote: So here comes something really weird:
Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 State = 0x123b5c7e213692f7121dbe4052274024
NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202001119800000000715030100020230 Message-Authenticator = 0xd65ea4a0e55f28c1e76a6b51f9ec9467
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2
That's a tls1.0 Alert message the part "....1503...". Therefore the openssl lib bails out of further processing as specified in RFC2246. Thats (arguably somewhat hard to understand) also mentioned int the output: 3447:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3447:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: So your client wasn't able to fiind a correct CA certificate for the cert freeradius had sent before. Please see to provide those. If in doubt, check with dummy ones to be created by CA.all script. regards K. Hoercher
Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem <-- this is my CA cakey.pem newcert.pem <-- and this is my server cert newcert.req
On 8/30/06, Tilen <lutemberg@gmail.com> wrote:
Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using:
cacert.pem <-- this is my CA cakey.pem newcert.pem <-- and this is my server cert newcert.req
Your supplicant is sending an TLS Alert Message, because _it_ cannot find a CA certificate. What you are talking about is the freeradius side of things which looks alright at first glance. And if you don't get it to work, please first check with demo certficates to be generated by the CA.all script. hth K. Hoercher
Yes yes, i understand, this works now :) I copied CA public key to wireless client and now it works. Now i only get this error: rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE
Hm, now i have to make LDAP passwords in NT hash and it will work (still gotta figure out how)? Or should i make changes in ldap.attrmap file too?
Ok sorry for spamming :) But here is update (again): I noticed i had " password_attribute = userPassword" commented out in ldap module configuration. After i uncommented that, i get new output: ... modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 ...
So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this >.<
Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldn't be hard to set up ! Regards, Edvin Seferovic _____ From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or g] On Behalf Of Tilen Sent: Mittwoch, 30. August 2006 16:58 To: FreeRadius users mailing list Subject: Re: Freeradius + OpenLDAP - user password problem So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this >.<
Tilen <lutemberg@gmail.com> wrote:
rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check items ... rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
http://deployingradius.com/documents/protocols/compatibility.html It is impossible to do MS-CHAP if the passwords are stored in crypt'd format. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
It is impossible to do MS-CHAP if the passwords are stored in crypt'd format.
Yes i know that, i heard it 100 times already... that's why i'm asking how to store them in cleartext/NT hash (i still posted radius output though, just in case). I think i tried once by simply typing PW in cleartext in ldap users file before importing user to database but it didn't work. Will try again tommorow.
Edvin Seferovic wrote:
Set up the ldap module right for your server and map your NAS attributes
to the LDAP attributes ! Shouldn't be hard to set up !
Yes, module is already set up correctly for my server, will try to set up attributes now. Hope it really isn't too hard :) Thanks for help.
Tilen <lutemberg@gmail.com> wrote:
Yes i know that, i heard it 100 times already... that's why i'm asking how to store them in cleartext/NT hash
You update the LDAP database to contain the clear-text password. How that's done is up to the LDAP server. See it's documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Wohoo it works now :D Clear text password in LDAP worked like a charm now (dunno why i had problems with it in the past) :P Thank you all guys 10x!!!
Hello, it's me again, did you miss me? :) Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect: rad_recv: Access-Request packet from host 192.168.1.1:3079, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000090174657374 Message-Authenticator = 0x39a9a7986f599b0dc47291d0bbcce631 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password tset1 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ef689c7fbaeabf2695de1a430324a73 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3079, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000090174657374 Message-Authenticator = 0x2ec95d116f20e8634b835c646acc514c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password tset1 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7272c2a0a6297ac9ea330896b6ff418f Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3079, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100090174657374 Message-Authenticator = 0xfa9d4d904e4f8b7c563584026add7ad6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password tset1 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x40e3042c6743b4d8e9fa35eac7cee031 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3079, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "004010100003" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "004010100003" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000090174657374 Message-Authenticator = 0x38cc006f8656690e7883ebcf7ccf2898 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password tset1 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x911b01ec3a06bad2ce7802185fb893c8 Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 4513dd96 Nothing to do. Sleeping until we see a request. And i really can't find, what seems to be the problem :(
Hi, On 9/22/06, Tilen <lutemberg@gmail.com> wrote:
Hello, it's me again, did you miss me? :) Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect:
Welcome back to our regular program *g*, Well, while your supplicant keeps sending EAP Type Identity requests, radius keeps answering them with EAP (Type PEAP) START messages. Why they don't get answered properly (TLS Client Helo inside EAP) by your supplicant is not really a freeradius problem. You might check (again) the usual suspects: oid's in certs on supplicant, reception of Access-Request there, time, MS foo (they sound familiar somehow *g*) regards K. Hoercher
Yeah, i think radius doesn't even boot if there is something wrong with certs. I checked firewalls, routing tables, etc. and no problem there.
Oh my god, now i opened up brand new Linksys router, installed dd-wrt on it and plugged it into my first freeradius server, that worked already. And now it doesn't get past the Access-Challenge! Please help me, what could be wrong? I used tcpdump to make sure, AP is sending nothing but access-request and radius sends back only access-challenge packets! It all worked before on the SAME setup! Nothing changed. :S If anyone has ANY idea please don't hasitate to post it.
Tilen <lutemberg@gmail.com> wrote:
rlm_mschap: No User-Password configured. Cannot create LM-Password. ... Hm, now i have to make LDAP passwords in NT hash and it will work (still gotta figure out how)? Or should i make changes in ldap.attrmap file too?
No. If you have the clear-text password in the ldap "userPassword" attribute, it should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Ok, nevermind, i get it now. Client needs CA public key to verify the certificate authority, becouse i created it and is not in public registry. So, if i copy cacert.pem to client machine i should get rid of this error, right? WIll try i tnow, really hope it works :D
participants (9)
-
Alan DeKok -
Christian Poessinger -
John McEleney -
K. Hoercher -
Martin Ovenstone -
Phil Mayers -
Seferovic Edvin -
Stuckzor -
Tilen