i configured my Freeradius 3.0 to authenticate a user by its username and password against our ActiveDirectory using the ntlm_auth module successful.
Then I added to following code to my default site:
if (!State) {
update control {
Auth-Type := ntlm_auth
}
}
else {
update control {
Auth-Type := pam
}
}
And changed to section for ntlm_auth in the same file to:
Auth-Type ntlm_auth {
ntlm_auth
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
}
# Return Access-Challenge:
challenge
}
}
This worked fine, but used plaintext passwords.
So I changed to configuration on my Gateway (VPN) to send MSCHAPv2 instead of plaintext.
I changed the ntlm_auth to mschapv2 in the config, but now I get only MSCHAPv2 Response and no response with the OTP-PIN from the challende request.
Log (Debug):
(0) Received Access-Request Id 73 from 212.99.164.134:10057 to 10.1.56.3:1812 length 188
(0) NAS-Identifier = "HAM-FW-02"
(0) User-Name = "USERnameSent"
(0) MS-CHAP2-Response = 0x1c009ddc9d60c7a00ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) MS-CHAP-Challenge = 0xe19eb24bf11796bbb66baab10741f1fb
(0) NAS-Port-Type = Virtual
(0) Calling-Station-Id = "46.114.1.229"
(0) Acct-Session-Id = "17f2146e"
(0) Connect-Info = "vpn-ssl"
(0) Fortinet-Vdom-Name = "0010647802"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /#[^#]*#/ ) {
(0) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /#\./) {
(0) if (&User-Name =~ /#\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Mar 26 06:36:08 2021
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "#"
(0) suffix: No '#' in User-Name = "USERnameSent", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 202
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) if (!State) {
(0) if (!State) -> TRUE
(0) if (!State) {
(0) update control {
(0) Auth-Type := ntlm_auth
(0) } # update control = noop
(0) } # if (!State) = noop
(0) ... skipping else: Preceding "if" was taken
(0) } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type ntlm_auth {
(0) mschap: Creating challenge hash with username: USERnameSent
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=USERnameSent
(0) mschap: Creating challenge hash with username: USERnameSent
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=0b0349cd8aa9407c
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) mschap: Program returned code (0) and output 'NT_KEY: 5796EA7F02A7060169CD28DE40DD6165'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0) --> 9o91xD3qIywz6TTH
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
(0) } # update reply = noop
(0) policy challenge {
(0) update control {
(0) &Response-Packet-Type = Access-Challenge
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy challenge = handled
(0) } # if (ok) = handled
(0) } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 73 from 10.1.56.3:1812 to 212.99.164.134:10057 length 0
(0) MS-CHAP2-Success = 0x1c533d33323442453233423243323435354244304539344338433737383335303142393346453232463037
(0) MS-MPPE-Recv-Key = 0x6d7dcf451b9c724308f1a01c9b1a7dcc
(0) MS-MPPE-Send-Key = 0xa993f3f27c1f6d5e8b192b9962de7bc4
(0) MS-MPPE-Encryption-Policy = Encryption-Allowed
(0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 73 with timestamp +11
Ready to process requests
(1) Received Access-Request Id 74 from 212.99.164.134:24581 to 10.1.56.3:1812 length 206
(1) NAS-Identifier = "HAM-FW-02"
(1) State = 0x396f3931784433714979777a36545448
(1) User-Name = "USERnameSent"
(1) MS-CHAP2-Response = 0x1c003635363333340ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(1) MS-CHAP-Challenge = 0xe19eb24bf11796bbb66baab10741f1fb
(1) NAS-Port-Type = Virtual
(1) Calling-Station-Id = "46.114.1.229"
(1) Acct-Session-Id = "17f2146e"
(1) Connect-Info = "vpn-ssl"
(1) Fortinet-Vdom-Name = "0010647802"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /#\./) {
(1) if (&User-Name =~ /#\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: EXPAND %t
(1) auth_log: --> Fri Mar 26 06:36:16 2021
(1) [auth_log] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "#"
(1) suffix: No '#' in User-Name = "USERnameSent", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 202
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) if (!State) {
(1) if (!State) -> FALSE
(1) else {
(1) update control {
(1) Auth-Type := pam
(1) } # update control = noop
(1) } # else = noop
(1) } # authorize = ok
(1) Found Auth-Type = pam
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Auth-Type pam {
(1) pam: Attribute "User-Password" is required for authentication
(1) [pam] = invalid
(1) } # Auth-Type pam = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> USERnameSent
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 74 from 10.1.56.3:1812 to 212.99.164.134:24581 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 74 with timestamp +19
Ready to process requests
Any ideas how I can send the challenge-respond to my pam module to authenticate this PIN to the google authenticator. The response seems to be missing or I may have to set {user-password} = {respone-value} somewhere??
Thanks a lot !
Best regards,
Andreas
Related
I was trying to test my freeRadius server in debug mode after building the source code on my Ubuntu VM.
I also use this official tutorial as the reference: https://wiki.freeradius.org/guide/basic-configuration-howto
My goal is:
Add a new user "testing", whose password is "password", to the freeradius config and successfully authenticate to the freeradius server as user "testing".
Below are the steps I have tried:
(1) I added the user info to the top line of "/usr/local/etc/raddb/users"
testing Cleartext-Password := "password"
I didn't make changes to "sudo nano /usr/local/etc/raddb/clients.conf"
(2) I started freeradius server in debug mode
sudo radiusd -X
and the server shows Ready to process requests
(3) I open a new terminal and tried to send the request with new user's info
radtest testing password localhost 0 testing123
The actual result is: Access-Reject
On the client side:
Sent Access-Request Id 128 from 0.0.0.0:41704 to 127.0.0.1:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Reject Id 128 from 127.0.0.1:1812 to 127.0.0.1:41704 length 20
(0) -: Expected Access-Accept got Access-Reject
On the server side:
(1) Received Access-Request Id 128 from 127.0.0.1:41704 to 127.0.0.1:1812 length 77
(1) User-Name = "testing"
(1) User-Password = "password"
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 0
(1) Message-Authenticator = 0xaf245c154458b4236bcca590799eeef4
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> TRUE
(1) if (&User-Name =~ /\.\./ ) {
(1) update request {
(1) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(1) } # update request = noop
(1) [reject] = reject
(1) } # if (&User-Name =~ /\.\./ ) = reject
(1) } # if (&User-Name) = reject
(1) } # policy filter_username = reject
(1) } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> testing
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 128 from 127.0.0.1:1812 to 127.0.0.1:41704 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 128 with timestamp +112
Can anyone tell me what is wrong with my steps?
Thanks!
I figured out that previously I messed up with the building process. I used `make deb' to build the package and then switch back to build from the source code. After a few hours and debug, now I finally get the expected output.
I am trying to run kafka in docker. It works with plaintext but does not work with SSL.
I performed SSL setup according to this documentation:
#!/bin/bash
#Step 1
keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
#Step 2
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
#Step 3
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
Then I copied all ssl stuff into /tmp/ssl/1/ directory.
Here is a my docker-compose:
version: '2'
volumes:
data-volume: {}
services:
kafka:
image: wurstmeister/kafka
ports:
- "9092:9092"
environment:
- KAFKA_ADVERTISED_HOST_NAME=127.0.0.1
- KAFKA_ADVERTISED_PORT=9092
- KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181
volumes:
- "/tmp/ssl/:/tmp/ssl/"
depends_on:
- zookeeper
zookeeper:
image: wurstmeister/zookeeper
ports:
- "2181:2181"
environment:
- KAFKA_ADVERTISED_HOST_NAME=zookeeper
server.properties
advertised.host.name = 127.0.0.1
advertised.listeners = null
advertised.port = 9092
alter.config.policy.class.name = null
alter.log.dirs.replication.quota.window.num = 11
alter.log.dirs.replication.quota.window.size.seconds = 1
authorizer.class.name =
auto.create.topics.enable = true
auto.leader.rebalance.enable = true
background.threads = 10
broker.id = -1
broker.id.generation.enable = true
broker.rack = null
client.quota.callback.class = null
compression.type = producer
connection.failed.authentication.delay.ms = 100
connections.max.idle.ms = 600000
connections.max.reauth.ms = 0
control.plane.listener.name = null
controlled.shutdown.enable = true
controlled.shutdown.max.retries = 3
controlled.shutdown.retry.backoff.ms = 5000
controller.socket.timeout.ms = 30000
create.topic.policy.class.name = null
default.replication.factor = 1
delegation.token.expiry.check.interval.ms = 3600000
delegation.token.expiry.time.ms = 86400000
delegation.token.master.key = null
delegation.token.max.lifetime.ms = 604800000
delete.records.purgatory.purge.interval.requests = 1
delete.topic.enable = true
fetch.purgatory.purge.interval.requests = 1000
group.initial.rebalance.delay.ms = 0
group.max.session.timeout.ms = 300000
group.max.size = 2147483647
group.min.session.timeout.ms = 6000
host.name =
inter.broker.listener.name = null
inter.broker.protocol.version = 2.2-IV1
kafka.metrics.polling.interval.secs = 10
kafka.metrics.reporters = []
leader.imbalance.check.interval.seconds = 300
leader.imbalance.per.broker.percentage = 10
listener.security.protocol.map = PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
listeners = PLAINTEXT://:9092,SSL://:9093
log.cleaner.backoff.ms = 15000
log.cleaner.dedupe.buffer.size = 134217728
log.cleaner.delete.retention.ms = 86400000
log.cleaner.enable = true
log.cleaner.io.buffer.load.factor = 0.9
log.cleaner.io.buffer.size = 524288
log.cleaner.io.max.bytes.per.second = 1.7976931348623157E308
log.cleaner.min.cleanable.ratio = 0.5
log.cleaner.min.compaction.lag.ms = 0
log.cleaner.threads = 1
log.cleanup.policy = [delete]
log.dir = /tmp/kafka-logs
log.dirs = /kafka/kafka-logs-935db2aeed2f
log.flush.interval.messages = 9223372036854775807
log.flush.interval.ms = null
log.flush.offset.checkpoint.interval.ms = 60000
log.flush.scheduler.interval.ms = 9223372036854775807
log.flush.start.offset.checkpoint.interval.ms = 60000
log.index.interval.bytes = 4096
log.index.size.max.bytes = 10485760
log.message.downconversion.enable = true
log.message.format.version = 2.2-IV1
log.message.timestamp.difference.max.ms = 9223372036854775807
log.message.timestamp.type = CreateTime
log.preallocate = false
log.retention.bytes = -1
log.retention.check.interval.ms = 300000
log.retention.hours = 168
log.retention.minutes = null
log.retention.ms = null
log.roll.hours = 168
log.roll.jitter.hours = 0
log.roll.jitter.ms = null
log.roll.ms = null
log.segment.bytes = 1073741824
log.segment.delete.delay.ms = 60000
max.connections.per.ip = 2147483647
max.connections.per.ip.overrides =
max.incremental.fetch.session.cache.slots = 1000
message.max.bytes = 1000012
metric.reporters = []
metrics.num.samples = 2
metrics.recording.level = INFO
metrics.sample.window.ms = 30000
min.insync.replicas = 1
num.io.threads = 8
num.network.threads = 3
num.partitions = 1
num.recovery.threads.per.data.dir = 1
num.replica.alter.log.dirs.threads = null
num.replica.fetchers = 1
offset.metadata.max.bytes = 4096
offsets.commit.required.acks = -1
offsets.commit.timeout.ms = 5000
offsets.load.buffer.size = 5242880
offsets.retention.check.interval.ms = 600000
offsets.retention.minutes = 10080
offsets.topic.compression.codec = 0
offsets.topic.num.partitions = 50
offsets.topic.replication.factor = 1
offsets.topic.segment.bytes = 104857600
password.encoder.cipher.algorithm = AES/CBC/PKCS5Padding
password.encoder.iterations = 4096
password.encoder.key.length = 128
password.encoder.keyfactory.algorithm = null
password.encoder.old.secret = null
password.encoder.secret = null
port = 9092
principal.builder.class = null
producer.purgatory.purge.interval.requests = 1000
queued.max.request.bytes = -1
queued.max.requests = 500
quota.consumer.default = 9223372036854775807
quota.producer.default = 9223372036854775807
quota.window.num = 11
quota.window.size.seconds = 1
replica.fetch.backoff.ms = 1000
replica.fetch.max.bytes = 1048576
replica.fetch.min.bytes = 1
replica.fetch.response.max.bytes = 10485760
replica.fetch.wait.max.ms = 500
replica.high.watermark.checkpoint.interval.ms = 5000
replica.lag.time.max.ms = 10000
replica.socket.receive.buffer.bytes = 65536
replica.socket.timeout.ms = 30000
replication.quota.window.num = 11
replication.quota.window.size.seconds = 1
request.timeout.ms = 30000
reserved.broker.max.id = 1000
sasl.client.callback.handler.class = null
sasl.enabled.mechanisms = [GSSAPI]
sasl.jaas.config = null
sasl.kerberos.kinit.cmd = /usr/bin/kinit
sasl.kerberos.min.time.before.relogin = 60000
sasl.kerberos.principal.to.local.rules = [DEFAULT]
sasl.kerberos.service.name = null
sasl.kerberos.ticket.renew.jitter = 0.05
sasl.kerberos.ticket.renew.window.factor = 0.8
sasl.login.callback.handler.class = null
sasl.login.class = null
sasl.login.refresh.buffer.seconds = 300
sasl.login.refresh.min.period.seconds = 60
sasl.login.refresh.window.factor = 0.8
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism.inter.broker.protocol = GSSAPI
sasl.server.callback.handler.class = null
security.inter.broker.protocol = PLAINTEXT
socket.receive.buffer.bytes = 102400
socket.request.max.bytes = 104857600
socket.send.buffer.bytes = 102400
ssl.cipher.suites = []
ssl.client.auth = none
ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
ssl.endpoint.identification.algorithm = https
ssl.key.password = [hidden]
ssl.keymanager.algorithm = SunX509
ssl.keystore.location = /tmp/ssl/1/server.keystore.jks
ssl.keystore.password = [hidden]
ssl.keystore.type = JKS
ssl.principal.mapping.rules = [DEFAULT]
ssl.protocol = TLS
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.location = /tmp/ssl/1/server.truststore.jks
ssl.truststore.password = [hidden]
ssl.truststore.type = JKS
transaction.abort.timed.out.transaction.cleanup.interval.ms = 60000
transaction.max.timeout.ms = 900000
transaction.remove.expired.transaction.cleanup.interval.ms = 3600000
transaction.state.log.load.buffer.size = 5242880
transaction.state.log.min.isr = 1
transaction.state.log.num.partitions = 50
transaction.state.log.replication.factor = 1
transaction.state.log.segment.bytes = 104857600
transactional.id.expiration.ms = 604800000
unclean.leader.election.enable = false
zookeeper.connect = zookeeper:2181
zookeeper.connection.timeout.ms = 6000
zookeeper.max.in.flight.requests = 10
zookeeper.session.timeout.ms = 6000
zookeeper.set.acl = false
zookeeper.sync.time.ms = 2000
server log:
[2019-04-29 13:12:33,935] INFO Awaiting socket connections on s0.0.0.0:9092. (kafka.network.Acceptor)
[2019-04-29 13:12:33,975] INFO [SocketServer brokerId=1001] Created data-plane acceptor and processors for endpoint : EndPoint(null,9092,ListenerName(PLAINTEXT),PLAINTEXT) (kafka.network.SocketServer)
[2019-04-29 13:12:33,975] INFO Awaiting socket connections on s0.0.0.0:9093. (kafka.network.Acceptor)
[2019-04-29 13:12:34,117] INFO [SocketServer brokerId=1001] Created data-plane acceptor and processors for endpoint : EndPoint(null,9093,ListenerName(SSL),SSL) (kafka.network.SocketServer)
[2019-04-29 13:12:34,122] INFO [SocketServer brokerId=1001] Started 2 acceptor threads for data-plane (kafka.network.SocketServer)
[2019-04-29 13:12:34,160] INFO [ExpirationReaper-1001-Produce]: Starting (kafka.server.DelayedOperationPurgatory$ExpiredOperationReaper)
[2019-04-29 13:12:34,162] INFO [ExpirationReaper-1001-Fetch]: Starting (kafka.server.DelayedOperationPurgatory$ExpiredOperationReaper)
[2019-04-29 13:12:34,163] INFO [ExpirationReaper-1001-DeleteRecords]: Starting (kafka.server.DelayedOperationPurgatory$ExpiredOperationReaper)
[2019-04-29 13:12:34,164] INFO [ExpirationReaper-1001-ElectPreferredLeader]: Starting (kafka.server.DelayedOperationPurgatory$ExpiredOperationReaper)
[2019-04-29 13:12:34,180] INFO [LogDirFailureHandler]: Starting (kafka.server.ReplicaManager$LogDirFailureHandler)
[2019-04-29 13:12:34,264] INFO Creating /brokers/ids/1001 (is it secure? false) (kafka.zk.KafkaZkClient)
/opt/kafka/client-ssl.properties:
security.protocol=SSL
ssl.truststore.location=/tmp/ssl/1/kafka.client.truststore.jks
ssl.truststore.password=test1234
I run the following:
/opt/kafka/bin/kafka-console-producer.sh --broker-list localhost:9093 --topic sample-sink-data --producer.config /opt/kafka/client-ssl.properties
and see this in the kafka server log:
[2019-04-29 13:28:13,654] INFO [SocketServer brokerId=1001] Failed authentication with /127.0.0.1 (SSL handshake failed) (org.apache.kafka.common.network.Selector)
What am I missing?
I installed FreeRADIUS-3.0.15 in Ubuntu-16.04.2, and set the EAP-PWD configurations (files: eap, users).
With EAP-PWD,
I could get SUCCESS by eapol_test tool, but I could NOT get my Android phone (v5.1.1 & 7.1.2) passed the authentication processes.
With the same settings, I could get my Android phone passed the authentication through TTLS and PEAP.
I've read the post,
https://serverfault.com/questions/683897/eap-pwd-with-freeradius-3/683923#683923.
But, it doesn't appear if the EAP-PWD could finally work in Android phones with FreeRADIUS server.
Are there any configurations I missed ?
Does EAP-PWD need some specific devices (e.g. AP, Switch-Controller, etc..) to work with ?
The EAP-PWD settings in the file "eap" :
pwd {
group = 19
server_id = theserver#example.com
fragment_size = 1020
virtual_server = "inner-tunnel"
}
The fail RADIUS server logs using my Android phone :
Ready to process requests
(0) Received Access-Request Id 19 from 192.168.1.1:65514 to 192.168.1.48:1812 length 113
(0) User-Name = "steve"
(0) NAS-Port-Type = Wireless-802.11
(0) Called-Station-Id = "00-0A-79-98-19-1F"
(0) Calling-Station-Id = "90-B6-86-8E-8E-F2"
(0) NAS-IP-Address = 192.168.1.1
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0201000a017374657665
(0) Message-Authenticator = 0xfc142f419a003e1f32c49845e2b47148
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /#[^#]*#/ ) {
(0) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /#\./) {
(0) if (&User-Name =~ /#\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "#"
(0) suffix: No '#' in User-Name = "steve", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x0920d2120922d68e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 19 from 192.168.1.48:1812 to 192.168.1.1:65514 length 0
(0) EAP-Message = 0x01020016041003e295427e4313c871b5357ea94cb0cd
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x0920d2120922d68e7c074922ee6197b2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 20 from 192.168.1.1:65515 to 192.168.1.48:1812 length 127
(1) User-Name = "steve"
(1) NAS-Port-Type = Wireless-802.11
(1) Called-Station-Id = "00-0A-79-98-19-1F"
(1) Calling-Station-Id = "90-B6-86-8E-8E-F2"
(1) NAS-IP-Address = 192.168.1.1
(1) Framed-MTU = 1400
(1) State = 0x0920d2120922d68e7c074922ee6197b2
(1) EAP-Message = 0x020200060334
(1) Message-Authenticator = 0x957e6bdb393fe8c0829f734afa134684
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /#\./) {
(1) if (&User-Name =~ /#\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "#"
(1) suffix: No '#' in User-Name = "steve", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry steve at line 73
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x0920d2120922d68e
(1) eap: Finished EAP session with state 0x0920d2120922d68e
(1) eap: Previous EAP request found for state 0x0920d2120922d68e, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PWD (52)
(1) eap: Calling submodule eap_pwd to process data
(1) eap: Sending EAP Request (code 1) ID 3 length 36
(1) eap: EAP session adding &reply:State = 0x0920d2120823e68e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 20 from 192.168.1.48:1812 to 192.168.1.1:65515 length 0
(1) EAP-Message = 0x010300243401001301015bd0471300746865736572766572406578616d706c652e636f6d
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x0920d2120823e68e7c074922ee6197b2
(1) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 19 with timestamp +59
(1) Cleaning up request packet ID 20 with timestamp +59
Ready to process requests
I've solved the problem after a long test.
Within the same system settings and environments, just needed to replace the AP to another one (I thought that the problem was caused because some APs (or their firmwares) did not support the function of EAP-PWD), and the problem could be solved.
I'm kinda new to FreeRadius. I managed to setup a server with rlm_rest enabled. my (first) goal is to login via a username and password, that is verified with an external api.
when i use radtest with a username and password, i get the following output on the server and receive an Access-Accept
Sent Access-Request Id 155 from 0.0.0.0:46565 to 127.0.0.1:1812 length 90
User-Name = "username"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "password"
however when i try to login on a live AP (WAP300N Linksys) with radius setup, the User-Password is not passed, see log output server below:
Received Access-Request Id 184 from 192.168.1.8:49250 to 192.168.1.29:1812 length 181
User-Name = "admin"
NAS-IP-Address = 192.168.1.10
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "C0-56-27-8D-E4-61"
Calling-Station-Id = "44-00-10-D3-9B-BC"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a002b190017030100200f8d3de6cc2558d4ea01c8f5a5b4a7feb747c427121cfa5a837d1cdd4d552dbd
State = 0x3e453e88364f273bd4879022bb95e46c
Message-Authenticator = 0xecb9642bb2342557885edba46f52e0cc
does this have anything to do with the server configuration? Or is the AP clearing the password for some reason. I'm trying to login on an Iphone...maybe that is the issue?
thanks in advance
Stefan
I have for example collection with such data:
80 (0)
90 (0)
100 (0)
200 (0)
A2 (0)
A3 (0)
A4 (0)
A5 (0)
A6 (0)
A8 (0)
Allroad (0)
Cabriolet (0)
Coupe (0)
Q7 (0)
Quattro (0)
R8 (0)
RS4 (0)
RS6 (0)
S2 (0)
S3 (0)
S4 (0)
S5 (0)
S6 (0)
S8 (0)
TT (0)
V8 (D11) (0)
and such view:
.vip-offers#manufacturers-list
.man-area
%ul
- #models.each do |car|
%li
= link_to "#{car.name} (#{car.get_cars_model_count(car.id)})", advanced_search_show_path(by_model: car.id), id: "link-blue", data: { no_turbolink: true }
so as you can see - i display whole data as list, but i need to group it by first letter in name, for example:
8
80 (0)
9
90 (0)
1
100 (0)
2
200 (0)
A
A2 (0)
A3 (0)
A4 (0)
A5 (0)
A6 (0)
A8 (0)
Allroad (0)
etc...
i didn't imagine how to select first letter and group by it in view... Maybe somebody have ideas?
.group_by is your friend:
#grouped_cars = cars.group_by { |one_record| one_record.name[0].to_s # returns the first letter of the name }
This code should create a hash structured as following:
{
'0' => [<Car id:12, name: '007'>],
'A' => [<Car id:13, name: 'Audi'>, <Car id:14, name: 'Audi RS5'>],
# etc.
}
Then in you can do:
%ul
- #grouped_cars.each do |first_letter, cars|
%li.first_letter= first_letter
%ul
- cars.each do |car|
%li.one_car= car.name
You might want to add some stuff in the group_by block:
#grouped_cars = cars.group_by do |car|
car.name[0].to_s.upcase # transforms 'a' into 'A'
end
I also noticed that you will probably loose the alphabetical order, because Hashes are not ordered. To solve this, you can do as following:
%ul
- #grouped_cars.keys.sort.each do |letter|
%li.first_letter= first_letter
%ul
- #grouped_cars[letter].each do |car|
%li.one_car= car.name
Or check #DaniëlKnippers comment on my answer