FreeRADIUS - Google LDAP - Error in debug mode - Regarding
Hi all, The FreeRADIUS server is working fine with eduroam. But showing the following error message for our local users while connecting with google ldap in debug mode *(108) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA(108) eap_ttls: ERROR: TLS_accept: Failed in error(108) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)(108) eap_ttls: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca(108) eap_ttls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure(108) eap_ttls: ERROR: System call (I/O) error (-1)(108) eap_ttls: ERROR: TLS receive handshake failed during operation(108) eap_ttls: ERROR: [eaptls process] = fail(108) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed* Can any of you please help me to resolve this? Thanks in advance Regards Thirunavukkarasu
On Oct 9, 2021, at 2:52 AM, P.Thirunavukkarasu <drthiruna@tanuvas.org.in> wrote:
The FreeRADIUS server is working fine with eduroam. But showing the following error message for our local users while connecting with google ldap in debug mode
More messages show up in debug mode, yes...
*(108) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA(108) eap_ttls: ERROR: TLS_accept: Failed in error(108) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)(108) eap_ttls: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca(108)
Formatting it correctly would help, but whatever. This message means that the client does not recognize the CA used by FreeRADIUS. The solution is to configure the client correctly, so that it knows about the CA. Alan DeKok.
Hi, The client gets connected with RADIUS by disabling the CA validation. But I am facing unique problem, that the clients gets connected only when I run the server in debug mode In debug mode the RADIUS shows that it is ready to process the requests. Any reason for this? On Sat, 9 Oct 2021 at 19:15, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 9, 2021, at 2:52 AM, P.Thirunavukkarasu <drthiruna@tanuvas.org.in> wrote:
The FreeRADIUS server is working fine with eduroam. But showing the following error message for our local users while connecting with google ldap in debug mode
More messages show up in debug mode, yes...
*(108) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA(108) eap_ttls: ERROR: TLS_accept: Failed in error(108) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)(108) eap_ttls: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca(108)
Formatting it correctly would help, but whatever.
This message means that the client does not recognize the CA used by FreeRADIUS. The solution is to configure the client correctly, so that it knows about the CA.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Dr.P.Thirunavukkarasu, MVSc, PhD, MCAAssistant Professor* *Dept. of Animal Husbandry Statistics and Computer ApplicationsMadras Veterinary CollegeChennai-600007; INDIA* *Phone: +91-44-25392737; +91-44-25304000* *Fax: +91-44-25389445* -- _---------------------------------------------------------------------------------_ *_TANUVAS_* *The contents of this message are confidential and are not be shared with outside parties without prior permission*
On Oct 15, 2021, at 2:42 AM, Thirunavukkarasu Palanisamy <drthiruna@tanuvas.org.in> wrote:
The client gets connected with RADIUS by disabling the CA validation.
That is entirely the wrong solution. Just configure the CA on the client. Disabling CA validation means that the client will connect to *any* RADIUS server, and hand over the passwords. This is insecure, and very wrong.
But I am facing unique problem, that the clients gets connected only when I run the server in debug mode In debug mode the RADIUS shows that it is ready to process the requests. Any reason for this?
The default configuration works fine. So what did you change? I don't know, because you're very careful to not give any useful information. Does it to LDAP? AD? ntlm_auth? I have no idea. You do, but you're not saying. This is like taking your car to the mechanic, and saying "It doesn't work right". When the mechanic asks "what's wrong?" You say "I dunno, you're the mechanic, you fix it." This approach is unhelpful. My guess (and it's only a guess), is that it's a permissions issue. I'll follow your style here, and give no more useful information than that. If you think about it carefully and read the configuration, that should be enough to fix the issue. Alan DeKok.
Hi, Greetings and Thanks... The setup is CentOS7 with FreeRADIUS on a VM. Connected to Google Secure LDAP. EAP Settings: EAP-TTLS-PAP (As you suggested it is working only with EAP-TTLS-PAP) Our W-Fi devices are Aruba IAPs and we are using the virtual controller. On Fri, 15 Oct 2021 at 16:25, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 15, 2021, at 2:42 AM, Thirunavukkarasu Palanisamy < drthiruna@tanuvas.org.in> wrote:
The client gets connected with RADIUS by disabling the CA validation.
That is entirely the wrong solution. Just configure the CA on the client.
Disabling CA validation means that the client will connect to *any* RADIUS server, and hand over the passwords. This is insecure, and very wrong.
I agree that CA validation is mandatory. I am using the default CA certificate.
But I am facing unique problem, that the clients gets connected only when I run the server in debug mode In debug mode the RADIUS shows that it is ready to process the requests. Any reason for this?
It was working fine, but recently I am facing an issue that the FreeRADIUS server processes the request only in debug mode. That is, it is accepting the request when the server is running in debug mode.
The default configuration works fine. So what did you change? I don't know, because you're very careful to not give any useful information.
Really I am not having any intentions like that. I'm sorry for this misunderstanding.
Does it to LDAP? AD? ntlm_auth? I have no idea. You do, but you're not saying.
Google Secure LDAP. EAP-TTLS-PAP The following are the few warning messages I noticed in the debug output. Not copied the entire debug output for easy review by the team. The entire debug attached as text file [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec '' found in filter list for realm "DEFAULT". *TLSMC: MozNSS compatibility interception begins.tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.TLSMC: MozNSS compatibility interception ends.TLS certificate verification: Error, unable to get local issuer certificate* eap_ttls: WARNING: Total received TLS record fragments (139 bytes), does not equal indicated TLS record length (0 bytes) WARNING: Outer and inner identities are the same. User privacy is compromised. I need help in this regard. From my understanding the server should be in debug mode for processing the requests. Our aim is implementing FreeRADIUS as a one stop solution for AAA and dynamic vlan. As of now I am working on dynamic vlan configuration in FreeRADIUS. VLANs based on G Suite OUs or groups. The OUs or groups are listed and assigned a VLAN in /etc/freeradius/3.0/mods-config/files/authorize Regards, *Thirunavukkarasu* -- _---------------------------------------------------------------------------------_ *_TANUVAS_* *The contents of this message are confidential and are not be shared with outside parties without prior permission*
On Oct 16, 2021, at 5:06 AM, Thirunavukkarasu Palanisamy <drthiruna@tanuvas.org.in> wrote:
It was working fine, but recently I am facing an issue that the FreeRADIUS server processes the request only in debug mode. That is, it is accepting the request when the server is running in debug mode.
You've said that already... there's no need to repeat yourself.
The following are the few warning messages I noticed in the debug output.
Entirely unrelated to the problem.
*TLSMC: MozNSS compatibility interception begins.tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.TLSMC: MozNSS compatibility interception ends.TLS certificate verification: Error, unable to get local issuer certificate*
That *is* an issue. You should drop the FreeRADIUS packages you're using, and use the *working* packages (and LDAP libraries) discussed on http://packages.networkradius.com Some OS distributions break FreeRADIUS, and it's up to us to fix them. As for the underlying issue you're seeing. It's really simple: It's not a FreeRADIUS issue. It's an Operating System permissions issue. You're probably running the server in debug mode as "root", and then running it in daemon mode as user "radiusd". If some of the configuration files are owned and readable only by "root", then the server won't be able to read them in daemon mode. And again, this issue doesn't happen in the default configuration. If you can't figure it out, throw away everything you've done, and install the packages from http://packages.networkradius.com Make sure it runs in debug mode and daemon mode. Then make ONE change. Test it in debug mode and daemon mode. If it works, save a copy of the configuration (e.g. using "git"). If it doesn't work, then that change broke the server. Repeat until you have a final working configuration. All of this process is documented EXTENSIVELY in the server. See "man radiusd" for one. We really don't recommend making 1000 changes to the configuration all at once, because most of the time it won't work. Take a slow, methodical approach, and it will be FASTER than trying to be "fast" by making a bunch of random changes you don't really understand. Alan DeKok.
Hi all, Thanks for the suggestion given. Particularly Alan. The first response is always from Alan Ji....
The following are the few warning messages I noticed in the debug output.
Entirely unrelated to the problem.
Noted. Will resolve it with our team support.
*TLSMC: MozNSS compatibility interception begins.tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.TLSMC: MozNSS compatibility interception ends.TLS certificate verification: Error, unable to get local issuer certificate*
That *is* an issue. You should drop the FreeRADIUS packages you're using, and use the *working* packages (and LDAP libraries) discussed on http://packages.networkradius.com
Some OS distributions break FreeRADIUS, and it's up to us to fix them.
Yes. We are trying to build a new RADIUS server in a new VM. (Hyper-V). https://wiki.freeradius.org/building/Platforms The core team suggested FreeBSD as the top among the others. Shall we proceed with FreeBSD? 32 bit or 64 bit which one is best? Or any other linux versions? Make sure it runs in debug mode and daemon mode. Then make ONE change.
Test it in debug mode and daemon mode. If it works, save a copy of the configuration (e.g. using "git"). If it doesn't work, then that change broke the server. Repeat until you have a final working configuration.
All of this process is documented EXTENSIVELY in the server. See "man radiusd" for one. We really don't recommend making 1000 changes to the configuration all at once, because most of the time it won't work.
Take a slow, methodical approach, and it will be FASTER than trying to be "fast" by making a bunch of random changes you don't really understand.
Noted. We will do it as you directed in a methodical way. I am having a few doubts? Can you plz guide me? Windows clients failed to authenticate in FreeRADIUS. But in debug mode no error messages were noticed. Any reason for it? How to connect the windows clients? We tried to set the maximum connection, bandwidth limitation,download and upload limits per user group of LDAP. I don't know where to start on the FreeRADIUS server..Just give a clue to start Please bear with me... Regards, Thirunavukkarasu...
On Oct 21, 2021, at 5:04 AM, P.Thirunavukkarasu <drthiruna@tanuvas.org.in> wrote:
Yes. We are trying to build a new RADIUS server in a new VM. (Hyper-V). https://wiki.freeradius.org/building/Platforms The core team suggested FreeBSD as the top among the others. Shall we proceed with FreeBSD? 32 bit or 64 bit which one is best? Or any other linux versions?
It all depends on what you want. But it's 2021... 32-bit systems aren't very relevant.
I am having a few doubts? Can you plz guide me? Windows clients failed to authenticate in FreeRADIUS. But in debug mode no error messages were noticed.
<sigh> If you're not going to post the debug output, I don't know why you're asking questions here. You've been told REPEATEDLY to do this.
Any reason for it? How to connect the windows clients?
Follow the documentation.
We tried to set the maximum connection, bandwidth limitation,download and upload limits per user group of LDAP.
Follow the documentation.
I don't know where to start on the FreeRADIUS server..Just give a clue to start
Read the docs and get up to speed. Alan DeKok.
Hi, Thank you.
It all depends on what you want. But it's 2021... 32-bit systems aren't very relevant.
Yes. I agree.
I am having a few doubts? Can you plz guide me? Windows clients failed to authenticate in FreeRADIUS. But in debug mode no error messages were noticed.
<sigh> If you're not going to post the debug output, I don't know why you're asking questions here. You've been told REPEATEDLY to do this.
I am really sorry. The debug output given below... Wndows clients not able to connect with the RADIUS (EAP-TTLS-PAP - Google LDAP) (0) Received Access-Request Id 106 from 172.16.20.210:60597 to 172.16.11.30:1812 length 241 (0) User-Name = "bvm21001@tanuvas.org.in" (0) NAS-IP-Address = 172.16.20.210 (0) NAS-Port = 0 (0) NAS-Identifier = "172.16.20.23" (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = "88532ed4f90e" (0) Called-Station-Id = "fc7ff1c60940" (0) Service-Type = Framed-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x0201001c0162766d32313030314074616e757661732e6f72672e696e (0) Aruba-Essid-Name = "TANUVAS" (0) Aruba-Location-Id = "Pharmacology_Lab" (0) Aruba-AP-Group = "MVC_AcademicAP_VC" (0) Aruba-Device-Type = "NOFP" (0) Message-Authenticator = 0x25f25cd80a7b44ca01746810ccc24170 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "tanuvas.org.in" for User-Name = " bvm21001@tanuvas.org.in" (0) suffix: Found realm "tanuvas.org.in" (0) suffix: Adding Stripped-User-Name = "bvm21001" (0) suffix: Adding Realm = "tanuvas.org.in" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: Peer sent EAP Response (code 2) ID 1 length 28 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 2 length 6 (0) eap: EAP session adding &reply:State = 0xb2d76114b2d57423 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 106 from 172.16.11.30:1812 to 172.16.20.210:60597 length 0 (0) EAP-Message = 0x010200061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xb2d76114b2d57423e9cf89ec8f3764aa (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 107 from 172.16.20.210:60597 to 172.16.11.30:1812 length 388 (1) User-Name = "bvm21001@tanuvas.org.in" (1) NAS-IP-Address = 172.16.20.210 (1) NAS-Port = 0 (1) NAS-Identifier = "172.16.20.23" (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "88532ed4f90e" (1) Called-Station-Id = "fc7ff1c60940" (1) Service-Type = Framed-User (1) Framed-MTU = 1100 (1) EAP-Message = 0x0202009d158000000093160303008e0100008a03036172b1c1de6237ab11952c07b4ca81e5fa8609a023bd3650c048ac9a4e95a77800002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000037000a00080006001d00170018000b000201 (1) State = 0xb2d76114b2d57423e9cf89ec8f3764aa (1) Aruba-Essid-Name = "TANUVAS" (1) Aruba-Location-Id = "Pharmacology_Lab" (1) Aruba-AP-Group = "MVC_AcademicAP_VC" (1) Aruba-Device-Type = "NOFP" (1) Message-Authenticator = 0xb7e83c01a82c07dbcba01d4023917228 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "tanuvas.org.in" for User-Name = " bvm21001@tanuvas.org.in" (1) suffix: Found realm "tanuvas.org.in" (1) suffix: Adding Stripped-User-Name = "bvm21001" (1) suffix: Adding Realm = "tanuvas.org.in" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) eap: Peer sent EAP Response (code 2) ID 2 length 157 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xb2d76114b2d57423 (1) eap: Finished EAP session with state 0xb2d76114b2d57423 (1) eap: Previous EAP request found for state 0xb2d76114b2d57423, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Peer indicated complete TLS record size will be 147 bytes (1) eap_ttls: Got complete TLS record (147 bytes) (1) eap_ttls: [eaptls verify] = length included (1) eap_ttls: (other): before/accept initialization (1) eap_ttls: TLS_accept: before/accept initialization (1) eap_ttls: <<< recv TLS 1.2 [length 008e] (1) eap_ttls: TLS_accept: SSLv3 read client hello A (1) eap_ttls: >>> send TLS 1.2 [length 0039] (1) eap_ttls: TLS_accept: SSLv3 write server hello A (1) eap_ttls: >>> send TLS 1.2 [length 08d3] (1) eap_ttls: TLS_accept: SSLv3 write certificate A (1) eap_ttls: >>> send TLS 1.2 [length 014d] (1) eap_ttls: TLS_accept: SSLv3 write key exchange A (1) eap_ttls: >>> send TLS 1.2 [length 0004] (1) eap_ttls: TLS_accept: SSLv3 write server done A (1) eap_ttls: TLS_accept: SSLv3 flush data (1) eap_ttls: TLS_accept: SSLv3 read client certificate A (1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 3 length 1004 (1) eap: EAP session adding &reply:State = 0xb2d76114b3d47423 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 107 from 172.16.11.30:1812 to 172.16.20.210:60597 length 0 (1) EAP-Message = 0x010303ec15c000000a7116030300390200003503035f6f25a42f9336d338a50ac4c8a0bbc37752fed4552a18121600267be828bd0400c03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xb2d76114b3d47423e9cf89ec8f3764aa (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 108 from 172.16.20.210:60597 to 172.16.11.30:1812 length 237 (2) User-Name = "bvm21001@tanuvas.org.in" (2) NAS-IP-Address = 172.16.20.210 (2) NAS-Port = 0 (2) NAS-Identifier = "172.16.20.23" (2) NAS-Port-Type = Wireless-802.11 (2) Calling-Station-Id = "88532ed4f90e" (2) Called-Station-Id = "fc7ff1c60940" (2) Service-Type = Framed-User (2) Framed-MTU = 1100 (2) EAP-Message = 0x020300061500 (2) State = 0xb2d76114b3d47423e9cf89ec8f3764aa (2) Aruba-Essid-Name = "TANUVAS" (2) Aruba-Location-Id = "Pharmacology_Lab" (2) Aruba-AP-Group = "MVC_AcademicAP_VC" (2) Aruba-Device-Type = "NOFP" (2) Message-Authenticator = 0x1541d27a89bad69d36646fe6f9210e86 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "tanuvas.org.in" for User-Name = " bvm21001@tanuvas.org.in" (2) suffix: Found realm "tanuvas.org.in" (2) suffix: Adding Stripped-User-Name = "bvm21001" (2) suffix: Adding Realm = "tanuvas.org.in" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xb2d76114b3d47423 (2) eap: Finished EAP session with state 0xb2d76114b3d47423 (2) eap: Previous EAP request found for state 0xb2d76114b3d47423, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0xb2d76114b0d37423 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 108 from 172.16.11.30:1812 to 172.16.20.210:60597 length 0 (2) EAP-Message = 0x010403ec15c000000a7142b8b19395e52171dc162108c03cf4d3c86f234b0c449e6420d67d2afaf6ecaaf7243de135762948b1a4e615dd53e61291902ddf244638e87863c1d26fbc85617b15f483cc747b54470004e8308204e4308203cca003020102020900e3736d6d4f9383f6300d06092a864886f7 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xb2d76114b0d37423e9cf89ec8f3764aa (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 109 from 172.16.20.210:60597 to 172.16.11.30:1812 length 237 (3) User-Name = "bvm21001@tanuvas.org.in" (3) NAS-IP-Address = 172.16.20.210 (3) NAS-Port = 0 (3) NAS-Identifier = "172.16.20.23" (3) NAS-Port-Type = Wireless-802.11 (3) Calling-Station-Id = "88532ed4f90e" (3) Called-Station-Id = "fc7ff1c60940" (3) Service-Type = Framed-User (3) Framed-MTU = 1100 (3) EAP-Message = 0x020400061500 (3) State = 0xb2d76114b0d37423e9cf89ec8f3764aa (3) Aruba-Essid-Name = "TANUVAS" (3) Aruba-Location-Id = "Pharmacology_Lab" (3) Aruba-AP-Group = "MVC_AcademicAP_VC" (3) Aruba-Device-Type = "NOFP" (3) Message-Authenticator = 0x6e8f0c64848306003ba35541e847afbc (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "tanuvas.org.in" for User-Name = " bvm21001@tanuvas.org.in" (3) suffix: Found realm "tanuvas.org.in" (3) suffix: Adding Stripped-User-Name = "bvm21001" (3) suffix: Adding Realm = "tanuvas.org.in" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xb2d76114b0d37423 (3) eap: Finished EAP session with state 0xb2d76114b0d37423 (3) eap: Previous EAP request found for state 0xb2d76114b0d37423, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 695 (3) eap: EAP session adding &reply:State = 0xb2d76114b1d27423 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 109 from 172.16.11.30:1812 to 172.16.20.210:60597 length 0 (3) EAP-Message = 0x010502b7158000000a710530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100916dab332c8f26db01809a0101ebf27503ab3c80c1ec977315a582 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xb2d76114b1d27423e9cf89ec8f3764aa (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 110 from 172.16.20.210:60597 to 172.16.11.30:1812 length 367 (4) User-Name = "bvm21001@tanuvas.org.in" (4) NAS-IP-Address = 172.16.20.210 (4) NAS-Port = 0 (4) NAS-Identifier = "172.16.20.23" (4) NAS-Port-Type = Wireless-802.11 (4) Calling-Station-Id = "88532ed4f90e" (4) Called-Station-Id = "fc7ff1c60940" (4) Service-Type = Framed-User (4) Framed-MTU = 1100 (4) EAP-Message = 0x0205008815800000007e16030300461000004241040c850e994ce6ddf7e214a2942e86601ee014d2e42fc79a364115af3ba61aa22ba7f1f9b8439471e9b144e304a3f9ba628d2427c17ac9749b488605ee8789ea3f140303000101160303002800000000000000004d9d5e39d56235723fcaf35f8cebd1 (4) State = 0xb2d76114b1d27423e9cf89ec8f3764aa (4) Aruba-Essid-Name = "TANUVAS" (4) Aruba-Location-Id = "Pharmacology_Lab" (4) Aruba-AP-Group = "MVC_AcademicAP_VC" (4) Aruba-Device-Type = "NOFP" (4) Message-Authenticator = 0x85863d5c40db14d6342f64bfa6c87687 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "tanuvas.org.in" for User-Name = " bvm21001@tanuvas.org.in" (4) suffix: Found realm "tanuvas.org.in" (4) suffix: Adding Stripped-User-Name = "bvm21001" (4) suffix: Adding Realm = "tanuvas.org.in" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) eap: Peer sent EAP Response (code 2) ID 5 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xb2d76114b1d27423 (4) eap: Finished EAP session with state 0xb2d76114b1d27423 (4) eap: Previous EAP request found for state 0xb2d76114b1d27423, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: Peer indicated complete TLS record size will be 126 bytes (4) eap_ttls: Got complete TLS record (126 bytes) (4) eap_ttls: [eaptls verify] = length included (4) eap_ttls: <<< recv TLS 1.2 [length 0046] (4) eap_ttls: TLS_accept: SSLv3 read client key exchange A (4) eap_ttls: TLS_accept: SSLv3 read certificate verify A (4) eap_ttls: <<< recv TLS 1.2 [length 0001] (4) eap_ttls: <<< recv TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3 read finished A (4) eap_ttls: >>> send TLS 1.2 [length 0001] (4) eap_ttls: TLS_accept: SSLv3 write change cipher spec A (4) eap_ttls: >>> send TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3 write finished A (4) eap_ttls: TLS_accept: SSLv3 flush data (4) eap_ttls: (other): SSL negotiation finished successfully (4) eap_ttls: SSL Connection Established (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 61 (4) eap: EAP session adding &reply:State = 0xb2d76114b6d17423 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 110 from 172.16.11.30:1812 to 172.16.20.210:60597 length 0 (4) EAP-Message = 0x0106003d1580000000331403030001011603030028efab9a40ca6b0e1d7a5fe6d7fc0cd2d8f47b16489a1d87bb93f0925dbeb4fb6e4cd62effa8bede08 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xb2d76114b6d17423e9cf89ec8f3764aa (4) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 106 with timestamp +7 (1) Cleaning up request packet ID 107 with timestamp +7 (2) Cleaning up request packet ID 108 with timestamp +7 (3) Cleaning up request packet ID 109 with timestamp +7 (4) Cleaning up request packet ID 110 with timestamp +7 Even after repeated requests the Windows client shows that as " Can't connect to this network" Regards, Thirunavukkarasu
On Oct 22, 2021, at 8:43 AM, P.Thirunavukkarasu <drthiruna@tanuvas.org.in> wrote:
I am really sorry. The debug output given below... Wndows clients not able to connect with the RADIUS (EAP-TTLS-PAP - Google LDAP) ... (4) Sent Access-Challenge Id 110 from 172.16.11.30:1812 to 172.16.20.210:60597 length 0 (4) EAP-Message = 0x0106003d1580000000331403030001011603030028efab9a40ca6b0e1d7a5fe6d7fc0cd2d8f47b16489a1d87bb93f0925dbeb4fb6e4cd62effa8bede08 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xb2d76114b6d17423e9cf89ec8f3764aa (4) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 106 with timestamp +7 (1) Cleaning up request packet ID 107 with timestamp +7 (2) Cleaning up request packet ID 108 with timestamp +7 (3) Cleaning up request packet ID 109 with timestamp +7 (4) Cleaning up request packet ID 110 with timestamp +7 Even after repeated requests the Windows client shows that as " Can't connect to this network"
This is in the FAQ, and the Wiki. If you let the server sit for a bit, and have it get another packet, it will print out a link to a wiki page. Which describes the problem, and the solution. In short: configure the Windows system properly, with the correct certs. There are guides to doing this. Alan DeKok.
Hi all, Thanks a lot.... I configured the dynamic vlan assignment for the LDAP based user groups in freeradius. Regarding the certificates... https://www.apt-browse.org/browse/ubuntu/bionic/main/amd64/freeradius-config... In the above link there is a good description about the certificates. It is a good guide for the beginners... But I failed to identify the documentation for the LDAP based user group restrictions to set the maximum connection, bandwidth limitation,download and upload limits (per user group of LDAP) I am searching for the freeradius documentation for the above... I don't know where to start on the FreeRADIUS server.. With Regards, Thirunavukkarasu
On O
Regarding the certificates... https://www.apt-browse.org/browse/ubuntu/bionic/main/amd64/freeradius-config... In the above link there is a good description about the certificates. It is a good guide for the beginners...
That file comes with the server... see /etc/raddb/certs, or /etc/freeradius/3.0/certs/ on debian systems. There's no need to search the net for it. i.e. if you're editing the certs in the raddb/certs directory, that directory contains a README.
But I failed to identify the documentation for the LDAP based user group restrictions to set the maximum connection, bandwidth limitation,download and upload limits (per user group of LDAP)
There is no documentation which is "do exactly what I want". We document how the server works. It's up to you to put the pieces together. The short answer is that you can edit sites-enabled/default, and look for the post-auth section. Then, edit it to add checks for the ldap group: if (LDAP-Group == "foo") { ... } What goes inside of the "if" section is whatever you want to do when the group matches. In this case, "update reply". There is tons of documentation and examples on how to send reply attributes back. If you're looking for *specific* attributes for your NAS, then please read the NAS documentation. There's 1000 NAS vendors, each of whom have 1000 different models. We don't document all of that. Instead, the NAS vendor does. The NAS documentation will tell you which attributes to send back to do download/upload limits, etc. All you need to do then is to configure FreeRADIUS with those attributes. Alan DeKok.
Hi all, Thanks for the information shared. Everyday I am learning from you people. I am trying to find a solution based on your suggestions. As you mentioned we are looking for specific attributes for our NAS. I am doing a search with our NAS documentation. The following link is referred to by one person regarding that... https://fossies.org/linux/freeradius-server/share/dictionary.aruba One question regarding the EAP Termination / Offload Can we Offload the EAP in the APs? Is it recommended? https://www.arubanetworks.com/techdocs/Instant_87_WebHelp/Content/instant-ug... Regards, Thirunavukkarasu
participants (3)
-
Alan DeKok -
P.Thirunavukkarasu -
Thirunavukkarasu Palanisamy