Freeradius as a proxy to Windows IAS

Clive Gould clive at ce.bromley.ac.uk
Tue Jul 31 12:17:49 CEST 2007 

Hi

Thanks for the replies to my posting yesterday.

Perhaps I can explain the situation more clearly. My goal is to
authenticate login to the digital repository DSpace against a Windows IAS 
server. I do not have physical access to the IAS server and cannot change
it's shared secret. So far I have been unable to successfully authenticate
DSpace directly against the remote IAS server.

As a result of this I came up with the idea of setting up a Freeradius
proxy server running on the same Linux box as DSpace, which would act as a
proxy to the remote IAS server for authentication purposes in the hope
that this would work.

I have been able to successfully validate login to Dspace against the
FreeRADIUS server when authentication is carried out against the unix
account files /etc/passwd and /etc/shadow on the local machine. However, I
have been unsucessful in validating DSpace login against the IAS server
with Freeradius is acting as a proxy.

We also use the Moodle VLE running on the same Linux box as DSpace and 
Freeradius, which has been using a PHP module to successfully validate
against the IAS server using the mschapv2 protocol for several years. As
part of debugging I decided to try pointing Moodle at the Freeradius proxy
instead of directly at IAS. I append the log trace resulting from this
below.

Dspace, Moodle and Freeradius are on 10.200.0.14
Windows IAS is on 10.200.0.2

It suggests to me that the shared secrets are wrong, but I've double
checked them and they are identical.

Any suggestions very greatfully received :-)

Dspace, Moodle and Freeradius are on 10.200.0.14
Windows IAS is on 10.200.0.2

Thanks very much

Clive


[root at vle raddb]# /usr/sbin/radiusd -sfxxyz -l stdout > radlog
[root at vle raddb]# cat radlog
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: bind_address = 10.200.0.14 IP address [10.200.0.14]
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 10.200.0.14:1812
Listening on accounting 10.200.0.14:1813
Listening on proxy 10.200.0.14:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.200.0.14:41775, id=238,
length=178
        NAS-Identifier = "vle.bromley.ac.uk"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "127.0.0.1"
        User-Name = "cliveg at staff.bromley.local"
        MS-CHAP2-Response = removed from this email
        MS-CHAP-Challenge = removed from this email
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = MS-CHAP'
  modcall[authorize]: module "mschap" returns ok for request 0
    rlm_realm: Looking up realm "staff.bromley.local" for User-Name =
"cliveg at staff.bromley.local"
    rlm_realm: Found realm "staff.bromley.local"
    rlm_realm: Proxying request from user cliveg to realm staff.bromley.local
    rlm_realm: Adding Realm = "staff.bromley.local"
    rlm_realm: Preparing to proxy authentication request to realm
"staff.bromley.local"
  modcall[authorize]: module "suffix" returns updated for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched DEFAULT at 152
    users: Matched DEFAULT at 171
    users: Matched DEFAULT at 183
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 10.200.0.2:1812
        NAS-Identifier = "vle.bromley.ac.uk"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "127.0.0.1"
        User-Name = "cliveg at staff.bromley.local"
        MS-CHAP2-Response = removed from this email
        MS-CHAP-Challenge = removed from this email
        NAS-IP-Address = 10.200.0.14
        Proxy-State = 0x323338
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.200.0.2:1812, id=0, length=236
Received Access-Accept packet from 10.200.0.2:1812 with invalid signature
(err=2)!  (Shared secret is incorrect.)
Server rejecting request 0.
Finished request 0
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.200.0.14:41775, id=238,
length=178
Sending Access-Reject of id 238 to 10.200.0.14:41775
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.200.0.14:41775, id=238,
length=178
Sending duplicate reply to client vle:41775 - ID: 238
Re-sending Access-Reject of id 238 to 10.200.0.14:41775
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 238 with timestamp 46af04de
Nothing to do.  Sleeping until we see a request.
[root at vle raddb]#

More information about the Freeradius-Users mailing list