Accounting-Request packet shared secret fail (Alan DeKok)

Kevin Virk Kevin.Virk at faithlife.com
Wed Aug 8 17:38:44 CEST 2018 

Thank you Alan DeKok. I will go recheck my configs!

________________________________
From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com at lists.freeradius.org> on behalf of freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
Sent: Wednesday, August 8, 2018 3:00 AM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 10

Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users<http://lists.freeradius.org/mailman/listinfo/freeradius-users>
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. Re: Dynamic vlan assignment (Deepak Sehrawat)
2. Re: Dynamic vlan assignment (Alan DeKok)
3. Re: ldap module for user and mac authentication (Alan DeKok)
4. Re: ldap module for user and mac authentication (Dave Macias)
5. Accounting-Request packet shared secret fail (Kevin Virk)
6. Re: Accounting-Request packet shared secret fail (Alan DeKok)


----------------------------------------------------------------------

Message: 1
Date: Tue, 7 Aug 2018 22:38:47 +0530
From: Deepak Sehrawat <d.sehrawat at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Dynamic vlan assignment
Message-ID: <A1C9AE51-ED3D-4394-9887-274F1A2F210B at gmail.com>
Content-Type: text/plain; charset=us-ascii


Can we configure it via MySQL as well?


> On 07-Aug-2018, at 5:19 PM, Elias Pereira <empbilly at gmail.com> wrote:
>
> You can configure it in the post-auth option of the sites-enable/default
> configuration file.
>
> E.g:
>
> ...
> ldap
> if (Ldap-Group == "CN=ADM,OU=GRUPOS,DC=mycompany,DC=intra") {
> update reply {
> &Tunnel-Type = VLAN
> &Tunnel-Medium-Type = IEEE-802
> &Tunnel-Private-Group-Id = "51"
> }
> }
> elsif (Ldap-Group == "CN=ALUNOS,OU=GRUPOS,DC=mycompany,DC=intra") {
> update reply {
> &Tunnel-Type = VLAN
> &Tunnel-Medium-Type = IEEE-802
> &Tunnel-Private-Group-Id = "40"
> elseif ...
> ...
>
> On Tue, Aug 7, 2018 at 8:05 AM aseem kaushal <aseemkaushal91 at gmail.com>
> wrote:
>
>> Need to configure freeradius for dynamic vlan assignment. What could be the
>> various methods for the above.
>> Thanks in advance.
>>
>>
>> Regards
>> -Aseem Kaushal
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html>
>
>
>
> --
> Elias Pereira
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html>



------------------------------

Message: 2
Date: Tue, 7 Aug 2018 14:16:32 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Dynamic vlan assignment
Message-ID: <EC8BA115-117B-408F-ADB3-C81489452CA3 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 1:08 PM, Deepak Sehrawat <d.sehrawat at gmail.com> wrote:
>
> Can we configure it via MySQL as well?

The documentation has lots of information on how the SQL module works.

Read it. Ask questions if you don't understand.

Alan DeKok.



------------------------------

Message: 3
Date: Tue, 7 Aug 2018 15:08:48 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID: <76519810-BEB1-40AC-A1E2-A3E6FA28B6E6 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 11:50 AM, Dave Macias <davama at gmail.com> wrote:
> On the SLAVE, I am able to use the ldap module to auth a mac address
> On the MASTER, i am also able to auth a mac but by doing something like the
> links below:
> http://lists.freeradius.org/pipermail/freeradius-users/2015-April/076948.html<http://lists.freeradius.org/pipermail/freeradius-users/2015-April/076948.html>
> http://lists.freeradius.org/pipermail/freeradius-users/2018-August/092319.html<http://lists.freeradius.org/pipermail/freeradius-users/2018-August/092319.html>
>
> Is there a way on the MASTER to use the ldap module to also auth macs?

You can do any kind of LDAP query in FreeRADIUS. Why not just do the same %{ldap:...} checks there?

Alan DeKok.




------------------------------

Message: 4
Date: Tue, 7 Aug 2018 16:04:10 -0400
From: Dave Macias <davama at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: ldap module for user and mac authentication
Message-ID:
<CA+nFYV-f2c+ZB4k7WxPf_tznrc3hdRb_WB+DCTAzqvT7Y6D_oA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Thank you for the reply Alan!


> You can do any kind of LDAP query in FreeRADIUS. Why not just do the
> same %{ldap:...} checks there?
>

Yes, I had thought of something to the effect of (suggestions welcomed) :

* if
(!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
*&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
* if
(!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
*n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{*
* reject*
* }*
* }*
* update {*
* control:Auth-Type := Accept*
* }*

But this does not account for the scenario of openldap being dead.
The 1st "if" statement will be always be FALSE and never attempt the next
"if" statement and therefore 'Accept'

We currently use do_not_respond in conjunction with the ldap module so that
radius never response if openldap it were down
http://lists.freeradius.org/pipermail/freeradius-users/2018-May/091477.html<http://lists.freeradius.org/pipermail/freeradius-users/2018-May/091477.html>

The nice feature of the module is that you can configure multiple ldap
servers. If one fails then it will automatically try the next and so forth.

*mods-enabled/ldap*
*ldap {*
*server = host1 # <- this one is dead*
*server = host2 # <- this one is alive so use this one in the query*
*...*
*}*

Unless there is a way to query the "live" ldap server which the ldap module
found %{ldap:ldap://%{live.ldap.server}/...} , if that makes sense



Thanks!


------------------------------

Message: 5
Date: Tue, 7 Aug 2018 22:04:17 +0000
From: Kevin Virk <Kevin.Virk at faithlife.com>
To: "freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: Accounting-Request packet shared secret fail
Message-ID: <1533679457716.32160 at faithlife.com>
Content-Type: text/plain; charset=WINDOWS-1252

I am having an issue with configuring my cisco switch to authenticate with freeradius. My secret is the same on both sides but I keep getting error that the shared secret is not correct. I did a tcpdump of the traffic and then opened in wireshark to see. The password is coming through encrypted as I would suspect. Could this encrypted password be the reason that I am not able to authenticate. Side note: Using wpa supplicant and eapol_test I was able to get a successful test. Only non success is this cisco switch.

ready to process requests.
rad_recv: Accounting-Request packet from host 172.17.17.227 port 49181, id=0, length=97
Received Accounting-Request packet from client 172.17.17.227 with invalid Request Authenticator! (Shared secret is incorrect.) Dropping packet without response






------------------------------

Message: 6
Date: Tue, 7 Aug 2018 18:24:30 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Accounting-Request packet shared secret fail
Message-ID: <D7FE269D-82BB-4365-A2A5-170524AF30E2 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii

On Aug 7, 2018, at 6:04 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
>
> I am having an issue with configuring my cisco switch to authenticate with freeradius. My secret is the same on both sides but I keep getting error that the shared secret is not correct.

Then the shared secret isn't correct.

> I did a tcpdump of the traffic and then opened in wireshark to see. The password is coming through encrypted as I would suspect. Could this encrypted password be the reason that I am not able to authenticate.

The password is encrypted with the shared secret. If the shared secret is wrong, then FreeRADIUS can't decrypt the password.

> Side note: Using wpa supplicant and eapol_test I was able to get a successful test. Only non success is this cisco switch.

Likely because they're using different IP addresses.

Are you editing the "client" configuration for the Cisco switch?

Have you tried setting the shared secret to something like "hello" ?

TBH, your choices here are:

a) the Cisco firmware works for everyone else, but not for you

b) FreeRADIUS works for everyone else, but not for you

c) you're entering the wrong shared secret, or maybe the correct shared secret, but in the wrong place.

Alan DeKok.




------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html>

------------------------------

End of Freeradius-Users Digest, Vol 160, Issue 10
*************************************************

More information about the Freeradius-Users mailing list