Freeradius-Users Digest, Vol 101, Issue 50

Rui Ribeiro ruyrybeyro at gmail.com
Mon Sep 23 19:49:51 CEST 2013


------------------------------

Message: 5
Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)
From: paul trader <fliptop at igolinux.com>
To: freeradius-users at lists.freeradius.org
Subject: pap always returns noop for windows dialup authentication
Message-ID:
        <alpine.DEB.2.02.1309231213040.7006 at soundgarden.localdomain.local>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII


hi all - i've recently tried upgrading from v1 to v2.  on a centos 6.4 box
w/ all latest updates, i installed freeradius v2, added one username and
password to /etc/raddb/users:

test Cleartext-Password := "testing"

and the radtest command-line authentication works.  i then added one
client for our blade server to /etc/raddb/clients.conf:

client x.x.x.x {
   secret = xxxxx
   shortname = 3coms
}

substituting the correct ip and secret for the x's.

testing from my linux box w/ a modem, authentication works.  output from
radiusd -X shows all is well, my linux box receives an ip address and dns
servers.  relavant -X debug output shows:

++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok

however, when trying to authenticate from a windows box, authentication
fails.  every time.  i've tried it from a windows xp machine and 2 windows
7 machines.  the debug output always says:

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject

i've been over and over everything a dozen times, have tried changing the
windows dialup security settings to use pap only, and also have tried
adding the following line to the users file:

Auth-Type = PAP

even though everything i've read said not to do that.  still doesn't work.
the only changes i've made to the default installation are to the users
and clients.conf files.  i have spent hours searching the internet for a
similar problem/solution and come up empty.  windows boxes will not
authenticate, pap always returns noop, and the user is rejected.

am i doing something glaringly wrong, or just going plain crazy?

regards, paul


------------------------------
Hi Paul,

Your not crazy for sure. The problem authenticating with Windows boxen is
that they only support MSCHAPv2…
kudos to Microsoft.

Regards,
Rui


On 23 September 2013 18:17,
<freeradius-users-request at lists.freeradius.org>wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: FreeRadius Error " Access Rejected" Only On Some CISCO
>       Switch    Ports (Alan DeKok)
>    2. FreeRadius Error " Access Rejected" Only On Some CISCO Switch
>       Ports (Daniel Baker)
>    3. Re: FreeRadius Error " Access Rejected" Only On Some CISCO
>       Switch    Ports (Daniel Baker)
>    4. EAP-TLS Authentication (arvind132 .)
>    5. pap always returns noop for windows dialup authentication
>       (paul trader)
>    6. Re: pap always returns noop for windows dialup authentication
>       (Phil Mayers)
>    7. Re: pap always returns noop for windows dialup authentication
>       (paul trader)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 23 Sep 2013 09:18:28 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO
>         Switch  Ports
> Message-ID: <52403FA4.5090808 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Daniel Baker wrote:
> >   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
> >   [ldap] object not found
> > [ldap] search failed
>
>   What part of that is unclear?
>
> > What can I try to fix the authentication issues so that all ports are
> being successfully authenticated ?
>
>   Ensure that the people logging in have accounts in ldap.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 23 Sep 2013 20:39:44 +0700
> From: Daniel Baker <info at collisiondetection.biz>
> To: freeradius-users at lists.freeradius.org
> Subject: FreeRadius Error " Access Rejected" Only On Some CISCO Switch
>         Ports
> Message-ID: <524044A0.8000800 at collisiondetection.biz>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
>
> Hi Guys, we are trying to get Free Radius to authenticate our users who
> connect through  a Cisco Small Business POE switch.
>
>
> When testing authentication with a shutdown / no shutdown command  on
> port fa/17  which has an IP phone connected to it we receive  the
> following errors:
>
> FREE RADIUS :
>
> [ldap]  expand: %{User-Name} -> root
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
> [ldap]  expand: dc=citlao,dc=local -> dc=citlao,dc=local
>    [ldap] ldap_get_conn: Checking Id: 0
>    [ldap] ldap_get_conn: Got Id: 0
>    [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
>    [ldap] object not found
> [ldap] search failed
>    [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user
> Failed to authenticate the user.
> Login incorrect (  [ldap] User not found): [root/trash] (from client
> LTC-ROUTER port 2)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> root
>   attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 12 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 12
> Sending Access-Reject of id 31 to 192.168.1.1 port 1645
> Waking up in 4.9 seconds.
> Cleaning up request 12 ID 31 with timestamp +10922
> Ready to process requests.
>
> CISCO POE SWITCH:
>
>
> SW-BN3-PoE(config-if)#shutdown
> SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down:  fa17
>
> SW-BN3-PoE(config-if)#
> SW-BN3-PoE(config-if)#no shutdown
> SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
> status Forwarding
> 23-Sep-2013 14:17:42 %LINK-I-Up:  fa17
> 23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
> 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
> password in Radius server
> 23-Sep-2013 14:18:07 %LINK-W-Down:  fa17, aggregated (3)
> 23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
> aggregated (3)
> 23-Sep-2013 14:18:09 %LINK-I-Up:  fa17, aggregated (3)
> 23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
> 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
> password in Radius server, aggregated (1)
>
>
>
>
> However when we try the same test on a port  that has a PC connected to
> it we do not receive such an error.
>
> The CISCO switch says that we have the wrong user name and the Free
> Radius log says access rejected.  Why would this only be the case when
> a CISCO IP phone tries to authenticate?
>
> The Cisco switch port configurations are exactly the same and are as
> follows :
>
>   dot1x max-req 1
>   dot1x reauthentication
>   dot1x timeout quiet-period 30
>   dot1x mac-authentication mac-only
>   dot1x port-control auto
>   storm-control broadcast enable
>   storm-control broadcast level 10
>   storm-control include-multicast
>   spanning-tree portfast
>   macro description "no_ip_phone_desktop     | ip_phone_desktop"
>   switchport trunk allowed vlan add 100
>   macro auto smartport type ip_phone_desktop
>
> What can I try to fix the authentication issues so that all ports are
> being successfully authenticated ?
>
>
> Thanks for your assistance,
>
> Dan
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 23 Sep 2013 21:01:49 +0700
> From: Daniel Baker <info at collisiondetection.biz>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO
>         Switch  Ports
> Message-ID: <524049CD.6030303 at collisiondetection.biz>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Thank you Alan I will pursue that line of inquiry further.
>
>
> On 9/23/2013 8:18 PM, Alan DeKok wrote:
> > Daniel Baker wrote:
> >>    [ldap] performing search in dc=citlao,dc=local, with filter
> (uid=root)
> >>    [ldap] object not found
> >> [ldap] search failed
> >    What part of that is unclear?
> >
> >> What can I try to fix the authentication issues so that all ports are
> being successfully authenticated ?
> >    Ensure that the people logging in have accounts in ldap.
> >
> >    Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 23 Sep 2013 20:15:14 +0530
> From: "arvind132 ." <arvindnb1 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: EAP-TLS Authentication
> Message-ID:
>         <CABNrktRU1J02n-yAmcpYj8rxq5Sg79NtUf=
> syrYXnj06ANk3UQ at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
> I am facing some issues with 802.1x EAP-TLS Authentication.
> Please suggest any document which can help in better understanding on TLS
> Authentication.
> Thanks.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 5
> Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)
> From: paul trader <fliptop at igolinux.com>
> To: freeradius-users at lists.freeradius.org
> Subject: pap always returns noop for windows dialup authentication
> Message-ID:
>         <alpine.DEB.2.02.1309231213040.7006 at soundgarden.localdomain.local>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>
>
> hi all - i've recently tried upgrading from v1 to v2.  on a centos 6.4 box
> w/ all latest updates, i installed freeradius v2, added one username and
> password to /etc/raddb/users:
>
> test Cleartext-Password := "testing"
>
> and the radtest command-line authentication works.  i then added one
> client for our blade server to /etc/raddb/clients.conf:
>
> client x.x.x.x {
>    secret = xxxxx
>    shortname = 3coms
> }
>
> substituting the correct ip and secret for the x's.
>
> testing from my linux box w/ a modem, authentication works.  output from
> radiusd -X shows all is well, my linux box receives an ip address and dns
> servers.  relavant -X debug output shows:
>
> ++[pap] returns updated
> Found Auth-Type = PAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "testing"
> [pap] Using clear text password "testing"
> [pap] User authenticated successfully
> ++[pap] returns ok
>
> however, when trying to authenticate from a windows box, authentication
> fails.  every time.  i've tried it from a windows xp machine and 2 windows
> 7 machines.  the debug output always says:
>
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
>
> i've been over and over everything a dozen times, have tried changing the
> windows dialup security settings to use pap only, and also have tried
> adding the following line to the users file:
>
> Auth-Type = PAP
>
> even though everything i've read said not to do that.  still doesn't work.
> the only changes i've made to the default installation are to the users
> and clients.conf files.  i have spent hours searching the internet for a
> similar problem/solution and come up empty.  windows boxes will not
> authenticate, pap always returns noop, and the user is rejected.
>
> am i doing something glaringly wrong, or just going plain crazy?
>
> regards, paul
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 23 Sep 2013 17:52:53 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: pap always returns noop for windows dialup authentication
> Message-ID: <524071E5.4090709 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 23/09/13 17:33, paul trader wrote:
>
> > am i doing something glaringly wrong, or just going plain crazy?
>
> It's difficult to say, because the debug you sent has all the useful
> bits trimmed out - like the original packet, and the full module
> processing chain.
>
> Send a full debug, and odds are someone will spot the issue.
>
> Most likely is that the Windows machine is sending a different format of
> username e.g. DOMAIN\user, so whatever database you're doing a lookup
> for the password or hash - SQL, LDAP, files - isn't matching. But that's
> a guess - post the full debug.
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 23 Sep 2013 13:19:04 -0400 (EDT)
> From: paul trader <fliptop at igolinux.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: pap always returns noop for windows dialup authentication
> Message-ID:
>         <alpine.DEB.2.02.1309231310440.7633 at soundgarden.localdomain.local>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:
>
> PM:It's difficult to say, because the debug you sent has all the useful
> PM:bits trimmed out - like the original packet, and the full module
> PM:processing chain.
>
> hi phil - ok, here's the full debug for a successful request:
>
> rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37,
> length=133
>         User-Name = "test"
>         User-Password = "testing"
>         User-Password = "testing"
>         NAS-IP-Address = x.x.x.x
>         NAS-Identifier = "x.x.x.x"
>         NAS-Port = 2561
>         Acct-Session-Id = "167773864"
>         Service-Type = Login-User
>         Calling-Station-Id = "xxxxxxxxxx"
>         Called-Station-Id = "xxxxxxx"
>         NAS-Port-Type = Async
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry test at line 1
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "testing"
> [pap] Using clear text password "testing"
> [pap] User authenticated successfully
> ++[pap] returns ok
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 37 to x.x.x.x port 1812
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 37 with timestamp +676
>
>
> and here's the full output of a failed request:
>
> Ready to process requests.
> rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35,
> length=121
>         User-Name = "test"
>         User-Password = "testing"
>         NAS-IP-Address = x.x.x.x
>         NAS-Identifier = "x.x.x.x"
>         NAS-Port = 2561
>         Acct-Session-Id = "167773862"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Calling-Station-Id = "xxxxxxxxxx"
>         Called-Station-Id = "xxxxxxx"
>         NAS-Port-Type = Async
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 172
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> test
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 35 to 64.214.93.3 port 1812
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 35 with timestamp +361
>
> from what i can see, the successful request finds the user's entry in the
> user table, but the failed request doesn't (and uses DEFAULT instead).
> but the usernames passed in seem to be the same.  i don't know, we've used
> freeradius for years and this is the 1st time i'm having a problem.
> weird.
>
> regards, paul
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 101, Issue 50
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/faee55e7/attachment-0001.html>


More information about the Freeradius-Users mailing list