eap-gtc error in authentication
Robert Masters
RMasters at bunnings.com.au
Wed Nov 24 03:30:26 CET 2010
We've been working on using Freeradius on RHEL5.4 to link a Motorola
RFS6000 with Oracle OID.
We've had a number of hiccoughs along the way, and solved most of them -
mainly thanks to the archives of this list.
We are now getting the following error:
"rlm_eap_gtc: ERROR: Clear-test User-Password is required for
authentication."
We are running : radiusd: FreeRADIUS Version 1.1.3, for host
i386-redhat-linux-gnu, built on Dec 4 2009 at 13:48:28
Which we are kind of stuck on if we want to maintain consistency with
RHN.
The full conversation log is long (882 lines), and with the config files
this is getting long enough, but I'll post it if it will help (and
apologise to the digest readers).
Some pertinent bits from it, though (these all refer to a conversation
that starts with request 0):
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/gtc
rlm_eap: processing type gtc
rlm_eap_gtc: ERROR: Clear-test User-Password is required for
authentication.
rlm_eap: Handler failed in EAP/gtc
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
auth: Failed to validate the user.
PEAP: Got tunneled reply RADIUS code 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x977b0b0 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 9
Here is our radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = "stingaree.bbs.bunnings.com.au"
port = 3061
identity =
"cn=bglpdtven,cn=users,dc=bbs,dc=bunnings,dc=com,dc=au"
password = XXXXXXXXXXX
basedn = "dc=bbs,dc=bunnings,dc=com,dc=au"
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = "OrclPassword"
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUn
iqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
suffix
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
And our eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = Local
}
tls {
private_key_password = XXXXXXXXXXXXXX
private_key_file =
/etc/raddb/certs/bunnings-key.pem
certificate_file =
/etc/raddb/certs/bunnings-cert.pem
CA_path = /etc/raddb/certs/CA
CA_file = /etc/raddb/certs/CA/bunnings-ca.crt
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
And our users file:
DEFAULT Auth-Type = LDAP
Fall-Through = Yes
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Unix Systems Administrator
Bunnings Group Limited
126 Pilbara Street, Welshpool WA 6106
Locked Bag 20, Welshpool WA 6986
Phone : (08) 9365-1507
Fax : (08) 9358-6054
E-mail : rmasters at bunnings.com.au
Website : www.bunnings.com.au
************************************************************************
Bunnings Legal Disclaimer:
1) This email is confidential and may contain legally privileged
information. If you are not the intended recipient, you must not
disclose or use the information contained in it. If you have received
this email in error, please notify us immediately by return email and
delete the document.
2) All emails sent to and sent from Bunnings Group Limited.
are scanned for content. Any material deemed to contain inappropriate
subject matter will be reported to the email administrator of all
parties concerned.
************************************************************************
More information about the Freeradius-Users
mailing list