We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID. We've had a number of hiccoughs along the way, and solved most of them - mainly thanks to the archives of this list. We are now getting the following error: "rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication." We are running : radiusd: FreeRADIUS Version 1.1.3, for host i386-redhat-linux-gnu, built on Dec 4 2009 at 13:48:28 Which we are kind of stuck on if we want to maintain consistency with RHN. The full conversation log is long (882 lines), and with the config files this is getting long enough, but I'll post it if it will help (and apologise to the digest readers). Some pertinent bits from it, though (these all refer to a conversation that starts with request 0): Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication. rlm_eap: Handler failed in EAP/gtc rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x977b0b0 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 Here is our radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = "stingaree.bbs.bunnings.com.au" port = 3061 identity = "cn=bglpdtven,cn=users,dc=bbs,dc=bunnings,dc=com,dc=au" password = XXXXXXXXXXX basedn = "dc=bbs,dc=bunnings,dc=com,dc=au" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = "OrclPassword" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUn iqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess suffix eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { } And our eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = Local } tls { private_key_password = XXXXXXXXXXXXXX private_key_file = /etc/raddb/certs/bunnings-key.pem certificate_file = /etc/raddb/certs/bunnings-cert.pem CA_path = /etc/raddb/certs/CA CA_file = /etc/raddb/certs/CA/bunnings-ca.crt dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } peap { default_eap_type = mschapv2 } mschapv2 { } } And our users file: DEFAULT Auth-Type = LDAP Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Unix Systems Administrator Bunnings Group Limited 126 Pilbara Street, Welshpool WA 6106 Locked Bag 20, Welshpool WA 6986 Phone : (08) 9365-1507 Fax : (08) 9358-6054 E-mail : rmasters@bunnings.com.au Website : www.bunnings.com.au ************************************************************************ Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Group Limited. are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. ************************************************************************
Hi, Robert Masters <RMasters@bunnings.com.au> wrote:
We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID.
We've had a number of hiccoughs along the way, and solved most of them - mainly thanks to the archives of this list.
We are now getting the following error: "rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication."
"Bad UNIX sysadmin *BAD*" My git log tells me you are running a version of FreeRADIUS from *before* Aug 15 2006. Maybe I am the first to tell you, but it is 2010, and nearly 2011 :) That error message was fixed (as was the codebase) so that Cleartext-Password is used instead (as User-Password comes from the RADIUS packet).
instantiate { exec expr } authorize { preprocess
suffix eap files <---- comment out ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap }
[snipped]
The problem is that you need to populate Cleartext-Password with whatever is expected from the user *before* you end up calling the GTC module. This is true if you want the gtc module to do the checking for you (as you have set the auth_type to 'Local'). This results in the gtc module doing the "Cleartext-Password == User-Password" check for you. What I use, other than just a version of FreeRADIUS from this decade, is something like the following: ---- eap { ... # do *not* pass to a inner virtual server for GTC (unless you # want to do secondary authentications, two-factor?) ttls { #virtual_server = "inner-tunnel" } peap { #virtual_server = "inner-tunnel" } gtc { challenge = "%{reply:Reply-Message}" # as User-Password != Cleartext-Password for rfc2289 auth_type = rfc2289 } ... } authorize { ... # gets some useful information from LDAP that lets the rfc2289 # perl module do it's thing ldap # generates Reply-Message depending on what LDAP found gtc-trial.perl gtc-trial.eap } authenticate { Auth-Type gtc-trial.eap { gtc-trial.eap } Auth-Type rfc2289 { # does the User-Password check as rfc2289 can have # several formats, and is not case sensitive, etc gtc-trial.perl } } ----
And our users file: DEFAULT Auth-Type = LDAP Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
This is wrong and unnecessary, you should never sent the Auth-Type (except to Reject or Accept); especially to 'LDAP'. Comment out 'files' in authorize, when 'ldap' is called it will go hunting for accounts, and if it sees it can get enough information to authenticate the user, then it will; although this is not actually what you want here. Cheers -- Alexander Clouter .sigmonster says: I am a deeply superficial person. -Andy Warhol
On 11/24/2010 03:51 AM, Alexander Clouter wrote:
Hi,
Robert Masters<RMasters@bunnings.com.au> wrote:
We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID.
We've had a number of hiccoughs along the way, and solved most of them - mainly thanks to the archives of this list.
We are now getting the following error: "rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication."
"Bad UNIX sysadmin *BAD*"
My git log tells me you are running a version of FreeRADIUS from *before* Aug 15 2006. Maybe I am the first to tell you, but it is 2010, and nearly 2011 :)
The 2.x version of FreeRADIUS on RHEL 5 is available under the package name freeradius2. This is documented in the RHEL release notes and the Red Hat FreeRADIUS FAQ http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
I would just like to take this opportunity to thank RedHat for their wonderfully consistent naming of packages. I just did not *think*, being so used to RedHat version numbers being way out of sync with reality, thanks to their backport policy. (Departs to *fix* things - with prejudice.) Thanks for pointing out my stupidity to me. -----Original Message----- From: freeradius-users-bounces+rmasters=bunnings.com.au@lists.freeradius.org [mailto:freeradius-users-bounces+rmasters=bunnings.com.au@lists.freeradi us.org] On Behalf Of John Dennis Sent: Wednesday, 24 November 2010 8:38 PM To: FreeRadius users mailing list Cc: Alexander Clouter Subject: Re: eap-gtc error in authentication On 11/24/2010 03:51 AM, Alexander Clouter wrote:
Hi,
Robert Masters<RMasters@bunnings.com.au> wrote:
We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID.
We've had a number of hiccoughs along the way, and solved most of
them -
mainly thanks to the archives of this list.
We are now getting the following error: "rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication."
"Bad UNIX sysadmin *BAD*"
My git log tells me you are running a version of FreeRADIUS from *before* Aug 15 2006. Maybe I am the first to tell you, but it is 2010, and nearly 2011 :)
The 2.x version of FreeRADIUS on RHEL 5 is available under the package name freeradius2. This is documented in the RHEL release notes and the Red Hat FreeRADIUS FAQ http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ************************************************************************ Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Group Limited. are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. ************************************************************************
On Wed, Nov 24, 2010 at 3:51 PM, Alexander Clouter <alex@digriz.org.uk> wrote:
Robert Masters <RMasters@bunnings.com.au> wrote:
We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID.
What I use, other than just a version of FreeRADIUS from this decade, is something like the following: ---- eap { ...
# do *not* pass to a inner virtual server for GTC (unless you # want to do secondary authentications, two-factor?)
If Robert is using Oracle OID like we've been using Lotus Domino's LDAP, then you'd want to pass it to inner tunnel.
This is wrong and unnecessary, you should never sent the Auth-Type (except to Reject or Accept); especially to 'LDAP'.
You need to, on some special cases (at least on the freeradius version I'm using, 2.1.6). The "special case" here is when you're authenticating against LDAP database, but the schema doesn't store cleartext-password or some form of password crypt compatible with freeradius, leaving you only with LDAP bind for authentication. See http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65103.h... for relevant part in my config. -- Fajar
participants (4)
-
Alexander Clouter -
Fajar A. Nugraha -
John Dennis -
Robert Masters