another shared secret problem

Morris, Andi amorris at cardiffmet.ac.uk
Fri Jun 8 10:50:34 CEST 2012


Hi Cornelius,
Did you mean to put some text in here?

Andi

From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Cornelius Kölbel
Sent: 07 June 2012 13:55
Cc: freeradius-users at lists.freeradius.org
Subject: Re: another shared secret problem



--
Cornelius Kölbel
Http://www.lsexperts.de
LSE Leading Security Experts GmbH
Tel: +49 6151 9067-252, mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill


Am 07.06.2012 um 14:36 schrieb "Morris, Andi" <amorris at cardiffmet.ac.uk<mailto:amorris at cardiffmet.ac.uk>>:
It pains me to send this to the list as I know I’m going to get shot down for missing something obvious, but I simply can’t think of where else I need to set this up.
I’m moving my web proxy servers from ISA to TMG and need to declare the TMG servers in my freeradius servers so that they accept NATed requests from my MS IAS servers.  I have added the new servers to /etc/raddb/clients.conf in the same way as the ISA servers were, and entered a shared secret (simple to try and help debug this).  I have then added the same servers to my clients list in MS IAS with the same shared secret.

The problem is that the FR server is reporting a shared secret mismatch when requests come from the new servers:
rad_recv: Access-Request packet from host 4.4.4.4 port 62463, id=1, length=211
Received packet from 4.4.4.4 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.
Going to the next request

I have typed and retyped the shared secret several times on both FR and IAS sides of the conversation.  Is there anywhere else in FR I need to declare the new servers that I have missed, or do I need to concentrate the efforts to the IAS servers?
Full debug output with masked details below:
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 2
        proxy_requests = yes
log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
security {
        max_attributes = 200
        reject_delay = 0
        status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = yes
        dead_time = 120
        wake_all_if_all_dead = no
}

home_server server01 {
        ipaddr = x.x.x.x
        port = 1812
        type = "auth+acct"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "none"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 60
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
}
home_server server02 {
        ipaddr = y.y.y.y
        port = 1812
        type = "auth+acct"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "none"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 60
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
}
home_server_pool home {
        type = fail-over
        home_server = server01
        home_server = server02
}
realm home.co.uk<http://home.co.uk> {
        pool = home
        nostrip
}

realm newhome.co.uk<http://newhome.co.uk> {
        pool = home
        nostrip
}
realm LOCAL {
}
realm NULL {
}
home_server extserver00 {
        ipaddr = x.x.x.x
        port = 1812
        type = "auth+acct"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 60
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
}
home_server extserver01 {
        ipaddr = x.x.x.x
        port = 1812
        type = "auth+acct"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 60
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
}

home_server extserver02 {
        ipaddr = x.x.x.x
        port = 1812
        type = "auth+acct"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 60
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
}
home_server_pool ext {
        type = fail-over
        home_server = extserver00
        home_server = extserver01
        home_server = extserver02
}
realm DEFAULT {
        pool = ext
        nostrip
}
radiusd: #### Loading Clients ####
client localhost {
        ipaddr = 127.0.0.1
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "eduroam"
}
client isa1 {
        ipaddr = 1.1.1.1
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}

client isa2 {
        ipaddr = 2.2.2.2
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}
client isa3 {
        ipaddr = 3.3.3.3
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}
client tmg1 {
        ipaddr = 4.4.4.4
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}
client tmg2 {
        ipaddr = 5.5.5.5
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}
client extserver00 {
        ipaddr = x.x.x.x
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}
client extserver01 {
        ipaddr = x.x.x.x
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}

client extserver02 {
        ipaddr = x.x.x.x
        netmask = 32
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
        virtual_server = "noname"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
  }
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
Module: Linked to module rlm_logintime
Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
}
radiusd: #### Loading Virtual Servers ####
server eduroam {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating eap
  eap {
        default_eap_type = "md5"
        timer_expire = 60
       ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }

Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        CA_file = "/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
   }
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }

Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
   }
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating auth_log
  detail auth_log {
        detailfile = "/var/log/radius/radacct/auth-detail"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
Module: Linked to module rlm_realm
Module: Instantiating suffix
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
  detail {
        detailfile = "/var/log/radius/radacct/detail"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
Module: Checking pre-proxy {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.pre-proxy
  attr_filter attr_filter.pre-proxy {
        attrsfile = "/etc/raddb/attrs.pre-proxy"
        key = "%{Realm}"
  }

Module: Instantiating pre_proxy_log
  detail pre_proxy_log {
        detailfile = "/var/log/radius/radacct/pre-proxy-detail"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating post_proxy_log
  detail post_proxy_log {
        detailfile = "/var/log/radius/radacct/post-proxy-detail"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
Module: Instantiating attr_filter.post-proxy
  attr_filter attr_filter.post-proxy {
        attrsfile = "/etc/raddb/attrs"
        key = "%{Realm}"
  }
Module: Checking post-auth {...} for more modules to load
Module: Instantiating reply_log
  detail reply_log {
        detailfile = "/var/log/radius/radacct/reply-detail"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
} # modules
} # server
server {
modules {
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 5.5.5.5 port 35394, id=1, length=211
Received packet from 5.5.5.5 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.
Going to the next request
Waking up in 0.9 seconds.
Cleaning up request 0 ID 1 with timestamp +274
Ready to process requests.

Cheers for any help possible,
Andi
________________________________

From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120608/226763b2/attachment-0001.html>


More information about the Freeradius-Users mailing list