Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challenge response
Hi, I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was "rlm_eap_md5: User-Password is required for EAP-MD5 authentication". I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, -------------------------------------------------------------------------------- User-Name = jrc User-Password = jrc Nas-identifier = jrcnas Nas-Ip-Address = 10.10.10.10 Nas-Port = 20 Nas-Port-Type = 15 CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 NSP-Id = nap BS-ID = TestBS EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "jrc" EAP-MD5-Password = jrc Message-Authenticator = 0x00 -------------------------------------------------------------------------------- am I doing any wrong here? Can Anybody help me how to solve this problem? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 127.0.0.1:32825, id=177, length=150 User-Name = "jrc" User-Password = "jrc" NAS-Identifier = "jrcnas" NAS-IP-Address = 10.10.10.10 NAS-Port = 20 NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" NSP-ID = "nap" BS-ID = "TestBS" Message-Authenticator = 0x4cc4b9e9f807f7648ddb267ec1365cc6 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 210 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry jrc at line 231 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 177 to 127.0.0.1 port 32825 CUI = "TestCUI2" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.31.128.112 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1400 AAA-Session-Id = "MultiSessionId2" MSK = "TestMSK2" HA-IP-MIP4 = 1.2.3.5 DHCPv4-Server = 5.6.7.9 MN-HA-MIP4-KEY = "TestMIPKey2" MN-HA-MIP4-SPI = "TestMIPSPI2" DHCP-RK = "TestDHCPRK2" DHCP-RK-KEY-ID = "TestDHCPRKID2" DHCP-RK_LIFETIME = 30 EAP-Message = 0x01d300160410f492fb48923219d8c9760b271cf4e031 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x467be2cc5938e30e368d1633e8ebd4fd Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=178, length=182 User-Name = "jrc" User-Password = "jrc" NAS-Identifier = "jrcnas" NAS-IP-Address = 10.10.10.10 NAS-Port = 20 NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" NSP-ID = "nap" BS-ID = "TestBS" Message-Authenticator = 0x7c3e1b2a25d10ce176811099e6ea64a3 State = 0x467be2cc5938e30e368d1633e8ebd4fd EAP-Message = 0x02d300160410d879a36a071bbf8d1111a598184dbe22 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry jrc at line 231 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [jrc] (from client localhost port 20 cli 1:1:1:1:1:1) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=178, length=182 Sending Access-Reject of id 178 to 127.0.0.1 port 32825 EAP-Message = 0x04d30004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -- With Regards, Govardhana K N
Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] Thanks for your answers. Markus
On 7/19/07, Rascher, Markus <markus.mr.rascher@siemens.com> wrote:
Hi All,
is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius:
# service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED]
You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help: http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authe... http://www.howtoforge.com/apache_radius_two_factor_authentication The latter is more recent. HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
On Thu, Jul 19, 2007 at 09:14:28AM -0400, Nick Owen wrote:
On 7/19/07, Rascher, Markus <markus.mr.rascher@siemens.com> wrote:
Hi All,
is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius:
# service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED]
You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help: http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authe...
http://www.howtoforge.com/apache_radius_two_factor_authentication
The latter is more recent.
I tried mod_auth_xradius but found it has a major bug where it won't let you configure more than one RADIUS server. When I tried mod_auth_radius-2.0 this built OK with my server but I couldn't figure what to put in httpd.conf to make it work. Has AuthAuthoritative been replaced by AuthBasicAuthoritative? If so, does anyone know how what the httpd config for apache2 should look like? -- Ben Thompson
Rascher, Markus wrote:
# service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf
There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Alan DeKok.
On 7/19/07, Alan DeKok <aland@deployingradius.com> wrote:
Rascher, Markus wrote:
# service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf
There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things.
Once that's done, a new version of the module should be released. Or are the patches are available somewhere and can be applied?
Any idea on a time-frame for a new release? thanks, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
Hi, is there anyone who used mod_auth_radius with apache 2.xx?? ________________________________ Von: freeradius-users-bounces+markus.mr.rascher=siemens.com@lists.freeradius. org [mailto:freeradius-users-bounces+markus.mr.rascher=siemens.com@lists.fre eradius.org] Im Auftrag von Rascher, Markus Gesendet: Donnerstag, 19. Juli 2007 13:10 An: FreeRadius users mailing list Betreff: mod_auth_radius Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] Thanks for your answers. Markus
I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was "rlm_eap_md5: User-Password is required for EAP-MD5 authentication". I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes,
You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name "Cleartext-Password" instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Thanks for the help Stefan. On 7/19/07, Stefan Winter <stefan.winter@restena.lu> wrote:
I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was "rlm_eap_md5: User-Password is required for EAP-MD5 authentication". I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes,
You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name "Cleartext-Password" instead of User-Password for that - it reduces confusion.
Stefan
-- Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- With Regards, Govardhana K N
participants (6)
-
Alan DeKok -
B Thompson -
Govardhana K N -
Nick Owen -
Rascher, Markus -
Stefan Winter