Login incorrect (Home Server says so)... - But why?
uni at christiankraus.de
uni at christiankraus.de
Wed Aug 6 09:40:11 CEST 2008
Dear group,
you obviously still know my old thread: http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-July/msg00091.html
I am using still freeradius 1.1.7
Well, the problem was not the foreign server which had the problems. It is kind of embarrassing to say: The reason was my access points. There was a setting, saying that each password should be transfered while being coded with md5. Although I don´t know why this had any influence on the clients with MSChapv2/PEAP or TTLS/PAP I removed the setting and voila it works.
So now, foreigner from other wanted enterprises can use our WLAN using their login credentials. So, the other way should also work. Do you know eduroam? The service we use is similar to this
Let´s look at my setup:
WLAN-accesspoints with SSID1 for local users-------------------------------------------------------------------------->Windows 2003 with IAS and active directory
same WLAN-accesspoints with SSID2 for foreign users---------------->myFreeRadiusServer------------->Windows 2003 with IAS and active directory
outside central server<------------------------------------------------------------->myFreeRadiusServer------------->Windows 2003 with IAS and active directory
outside central server<------------------------------------------------------------->someonesOtherRadiusServer1
outside central server<------------------------------------------------------------->someonesOtherRadiusServer2
...
So, my local users are able tu use SSID1 with 802.1X. They use PEAP with MSCHAPv2 to use the WLAN. No problem. It works.
Also, if they accidently use SSID2, which is for foreigners, they can use it. They login with "username at mydomain.com". Everything which ends with "@mydomain.de" is proxied from "myFreeRadiusServer" to the "Windows 2003 with IAS and active directory". This is also working without any problems.
Foreigners can use their credentials, e.g.: "username at someonesOtherdomain.com". This credentials are passed to "myFreeRadiusServer". Everything else, that doesn´t end "@mydomain.de" is passed to the "outside central server". There is a list which maps the other "@someonesOtherdomain.com" to the right "someonesOtherRadiusServers" So dozen of other servers. And from there the request is proxied to the corresponding "someonesOtherRadiusServer" which belongs to the right "@someonesOtherdomain.com"
What is working: I can use the "username at someonesOtherdomain.com" from a foreign enterprise to login and use the WLAN. No problem here. But the other way round doesn´t work. I asked a collegue from one of those foreign enterprises to test the login with "username at mydomain.com"
He gave me the following error message:
Mon Aug 4 17:19:57 2008 : Auth: Login incorrect (Home Server says so):
[username at mydomain.com] (from client CB-Access-Point-802.11 port 2 cli
00-1B-77-A4-7B-A2)
I don´t know where the problem is. Perhaps you can give me a hint?
Coming to my configuration files with changed IP addresses...:
-----------------------------------------------------------------------------
clients.conf:
client WLAN-IP-AP1 {
secret = oft36fW!
shortname = WLAN-AP1
nastype = other
}
...
client "outside central server"-IP {
secret = ASECRETPASSWORD
shortname = top-level-radius1
nastype = other
}
client "outside central backup server"-IP {
secret = ASECRETPASSWORD
shortname = top-level-radius1
nastype = other
}
-----------------------------------------------------------------------------
proxy.conf
realm mydomain.com {
type = radius
authhost = IAS-IP:1812
accthost = IAS-IP:1813
secret = anotherpass
#ldflag = round_robin1
nostrip
}
realm DEFAULT {
type = radius
authhost = outside central server:1812
accthost = outside central server:1813
secret = pass
nostrip
}
realm DEFAULT {
type = radius
authhost = outside central backup server:1812
accthost = outside central backup server:1813
secret = pass
nostrip
}
-----------------------------------------------------------------------------
users
DEFAULT, Realm == mydomain.com, FreeRADIUS-Proxied-To == IAS-IP
User-Name = `%{User-Name}`,
Fall-Through = yes,
Auth-Type := EAP
DEFAULT, User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@.*$"
Auth-Type := EAP
DEFAULT, User-Name =~ "$@$"
Auth-Type := EAP
DEFAULT Realm == NULL
Auth-Type := Reject
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
eap.conf
Although it is not doing anything as I learned
eap {
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
md5 {
}
leap {
}
tls {
private_key_password = pass
private_key_file = /usr/src/freeradius/key.pem
#${raddbdir}/certs/cert-srv.pem
certificate_file = /usr/src/freeradius/freeradius-cert.pem
CA_file = /usr/src/freeradius/chain.txt
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = yes
}
mschapv2 {
}
}
-----------------------------------------------------------------------------
radiusd.conf, where I hardly changed anything. I commentec many things out...
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = /var/log/radius/radius.log
log_destination = files
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
# The same notes above about the differences between mysql
# versus postgres queries apply here.
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
instantiate {
exec
expr
}
authorize {
preprocess
attr_filter
chap
mschap
suffix
eap
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
More information about the Freeradius-Users
mailing list