HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, I only need FR to auth against our w2k3 AD server. Any help is appreciated. [root@fedora ~]# radtest Administrator pass 127.0.0.1:1812 10 testing123 Sending Access-Request of id 166 to 127.0.0.1 port 1812 User-Name = "Administrator" User-Password = "tfxsol" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20 radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32770, id=166, length=65 User-Name = "Administrator" User-Password = "tfxsol" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [Administrator]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 166 to 127.0.0.1 port 32770 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 166 with timestamp 461f1204 Nothing to do. Sleeping until we see a request.
Jacob Jarick wrote:
A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file,
Yes. See the "users" file. It sets authentication to /etc/passwd (or system) if there's no other method set.
I only need FR to auth against our w2k3 AD server. Any help is appreciated.
For PAP authentication, you have to configure that manually. i.e. tell the server "if you receive PAP, run ntlm_auth to authenticate against AD". See the "exec" module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file,
Yes. See the "users" file. It sets authentication to /etc/passwd (or system) if there's no other method set.
I only need FR to auth against our w2k3 AD server. Any help is appreciated.
For PAP authentication, you have to configure that manually. i.e. tell the server "if you receive PAP, run ntlm_auth to authenticate against AD". See the "exec" module for how to run external programs.
It looks like you didn't tell the server to authenticate against AD. Please do so.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jacob Jarick wrote:
How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file.
If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do.
I read the users.txt man page but it wasnt any help.
My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly.
So... when I said you need to run ntlm_auth, and you could use the "exec" module to do that, what conclusion did you reach? Or, you can replace the reference to "System" in the "users" file with "Kerberos". But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, Thanks so much for your advice mate. I got it going finally ! For people out there looking todo a similar setup here is my short mini howto: 1 Install Kerberos 2 Install OpenSSL 3 Install Samba 4 Follow the FreeRadius Tutorial for AD intergration: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+im... 5: Follow this guide, particulary the part about "Configuring FreeRADIUS to use ntlm_auth" http://deployingradius.com/documents/configuration/active_directory.html On 4/13/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file.
If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do.
I read the users.txt man page but it wasnt any help.
My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly.
So... when I said you need to run ntlm_auth, and you could use the "exec" module to do that, what conclusion did you reach?
Or, you can replace the reference to "System" in the "users" file with "Kerberos". But be sure you've told FreeRADIUS to use the kerberos module.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 OK, some more googling :P and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html It covers Configuring FreeRADIUS to use ntlm_auth in a bit more detail than the last one. On 4/13/07, Jacob Jarick <mem.namefix@gmail.com> wrote:
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666
How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help.
My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly.
Is there any howto that actually covers this properly.
On 4/13/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file,
Yes. See the "users" file. It sets authentication to /etc/passwd (or system) if there's no other method set.
I only need FR to auth against our w2k3 AD server. Any help is appreciated.
For PAP authentication, you have to configure that manually. i.e. tell the server "if you receive PAP, run ntlm_auth to authenticate against AD". See the "exec" module for how to run external programs.
It looks like you didn't tell the server to authenticate against AD. Please do so.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html
yep -the official FreeRADIUS wiki/book combo from Alan D alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Jacob Jarick