Hi Thanks for the replies to my posting yesterday. Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server. As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work. I have been able to successfully validate login to Dspace against the FreeRADIUS server when authentication is carried out against the unix account files /etc/passwd and /etc/shadow on the local machine. However, I have been unsucessful in validating DSpace login against the IAS server with Freeradius is acting as a proxy. We also use the Moodle VLE running on the same Linux box as DSpace and Freeradius, which has been using a PHP module to successfully validate against the IAS server using the mschapv2 protocol for several years. As part of debugging I decided to try pointing Moodle at the Freeradius proxy instead of directly at IAS. I append the log trace resulting from this below. Dspace, Moodle and Freeradius are on 10.200.0.14 Windows IAS is on 10.200.0.2 It suggests to me that the shared secrets are wrong, but I've double checked them and they are identical. Any suggestions very greatfully received :-) Dspace, Moodle and Freeradius are on 10.200.0.14 Windows IAS is on 10.200.0.2 Thanks very much Clive [root@vle raddb]# /usr/sbin/radiusd -sfxxyz -l stdout > radlog [root@vle raddb]# cat radlog Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = 10.200.0.14 IP address [10.200.0.14] main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 10.200.0.14:1812 Listening on accounting 10.200.0.14:1813 Listening on proxy 10.200.0.14:1814 Ready to process requests. rad_recv: Access-Request packet from host 10.200.0.14:41775, id=238, length=178 NAS-Identifier = "vle.bromley.ac.uk" NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "127.0.0.1" User-Name = "cliveg@staff.bromley.local" MS-CHAP2-Response = removed from this email MS-CHAP-Challenge = removed from this email Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: Looking up realm "staff.bromley.local" for User-Name = "cliveg@staff.bromley.local" rlm_realm: Found realm "staff.bromley.local" rlm_realm: Proxying request from user cliveg to realm staff.bromley.local rlm_realm: Adding Realm = "staff.bromley.local" rlm_realm: Preparing to proxy authentication request to realm "staff.bromley.local" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 10.200.0.2:1812 NAS-Identifier = "vle.bromley.ac.uk" NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "127.0.0.1" User-Name = "cliveg@staff.bromley.local" MS-CHAP2-Response = removed from this email MS-CHAP-Challenge = removed from this email NAS-IP-Address = 10.200.0.14 Proxy-State = 0x323338 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=236 Received Access-Accept packet from 10.200.0.2:1812 with invalid signature (err=2)! (Shared secret is incorrect.) Server rejecting request 0. Finished request 0 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.200.0.14:41775, id=238, length=178 Sending Access-Reject of id 238 to 10.200.0.14:41775 --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.200.0.14:41775, id=238, length=178 Sending duplicate reply to client vle:41775 - ID: 238 Re-sending Access-Reject of id 238 to 10.200.0.14:41775 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 238 with timestamp 46af04de Nothing to do. Sleeping until we see a request. [root@vle raddb]#
On Tue 31 Jul 2007, Clive Gould wrote:
Hi
Thanks for the replies to my posting yesterday.
Perhaps I can explain the situation more clearly. My goal is to authenticate login to the digital repository DSpace against a Windows IAS server. I do not have physical access to the IAS server and cannot change it's shared secret. So far I have been unable to successfully authenticate DSpace directly against the remote IAS server.
Well, I would suggest you solve this problem first.
As a result of this I came up with the idea of setting up a Freeradius proxy server running on the same Linux box as DSpace, which would act as a proxy to the remote IAS server for authentication purposes in the hope that this would work.
FreeRADIUS is not magic... Fix the IAS server and the FreeRADIUS bit should just work.. -- Peter Nixon http://peternixon.net/
participants (2)
-
Clive Gould -
Peter Nixon