Command radtest test testing1234294106 127.0.0.1 18120 testing123
below is the output getting
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812 length 90
User-Name = "test"
User-Password = "testing1234294106"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "testing1234294106"
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812 length 90
User-Name = "test"
User-Password = "testing1234294106"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "testing1234294106"
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812 length 90
User-Name = "test"
User-Password = "testing1234294106"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "testing1234294106"
(0) No reply from server for ID 176 socket 3
No reply, is frustrating. So here are general steps to diagnose a No reply situation. At the end of this post, I point out the solution to the OP's original question.
Diagnosis Steps
If you get "No reply" from radtest, the first step is check the output of radiusd (which you need to have running in debug mode with cmd radiusd -X).
This will help you diagnose whether the request is being ignored or if the request isn't even making it to radiusd.
Radiusd Ignoring Request
In radiusd, if you see a message telling you that the request was "Ignored", read the reason for it being ignored and resolve the problem.
Radiusd With No Output
Alternatively, if radiusd -X doesn't show any output after attempting to connect, then most likely your request isn't even making it to the radiusd listener. This could happen if you're specifying an invalid ip address or port, or if a firewall is blocking the request, or if there's a routing problem.
NOTE: I noticed that some default configurations run the radius server auth port on 18120 instead of 1812. Double check the listener port number by checking the output of radiusd -X. The very end of the output should say "Listening for connections on..." followed by the IP Address and Port.
Solution to OP's problem
The Op's radtest command is incorrectly formatted. It says
radtest test testing1234294106 127.0.0.1 18120 testing123
The correct format is:
radtest test testing1234294106 127.0.0.1:18120 0 testing123
You can check this by running 'radtest --help'. The format for the ip port portion is "ip:port nas-port". In this case the nas-port can be 0.
You can also see, that since the port wasn't specified, the resulting request goes out on the default port 1812 (when it should have been 18120):
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812
I don't know why the out-of-box configuration for freeRadius uses 18120 for testing. But I think this throws a lot of people off. Especially since radtest syntax normally reads: ip:18120 0 (note the separated 0s).
Related
I'm trying to create an authentification using Freeradius 3 with the MS_CHAP authentification protocol. I set up my active directory. It works:
$ ntlm_auth --request-nt-key --username=admin --password=Qwerty01 --domain=DOMAIN.LOCAL
NT_STATUS_OK: The operation completed successfully. (0x0)
However, I can't authenticate using radtest:
$ radtest -t mschap admin Qwerty01 localhost 0 testing123
Sent Access-Request Id 232 from 0.0.0.0:51847 to 127.0.0.1:1812 length 131
User-Name = "admin"
MS-CHAP-Password = "Qwerty01"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "Qwerty01"
MS-CHAP-Challenge = 0x044d30abb8866f26
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000803c721e5b12ff86836a1873e1c0f62d18e2c054b83c940f
Received Access-Reject Id 232 from 127.0.0.1:1812 to 127.0.0.1:51847 length 61
MS-CHAP-Error = "\000E=691 R=1 C=f25227a7f4150df5 V=2"
(0) -: Expected Access-Accept got Access-Reject
Here is my freeradius logs:
...
(1) authenticate {
(1) mschap: Client is using MS-CHAPv1 with NT-Password
(1) mschap: Executing: /bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(1) mschap: EXPAND --username=%{mschap:User-Name:-None}
(1) mschap: --> --username=admin
(1) mschap: ERROR: No NT-Domain was found in the User-Name
(1) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL}
(1) mschap: --> --domain=DOMAIN.LOCAL
(1) mschap: mschap1: 04
(1) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(1) mschap: --> --challenge=044d30abb8866f26
(1) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(1) mschap: --> --nt-response=803c721e5b12ff86836a1873e1c0f62d18e2c054b83c940f
(1) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(1) mschap: ERROR: Reading winbind reply failed! (0xc0000001)
(1) mschap: Authentication failed
...
If you haven't already done so, you will need to grant permission to the /var/lib/samba/winbindd_privileged folder for your radius user. Example:
setfacl -m u:radiusd:rx winbindd_privileged
I've got a build of the OpenVPN3 client library (https://github.com/OpenVPN/openvpn3) connecting to an OpenVPN 2 server (2.4.4). This is working for my mac and windows builds, but failing when the client is iOS.
The iOS client appears to connect, in the sense that I get my custom up script invoked and I can see what I assume are keepalive/heartbeat packets going back and forth between client and server. The client doesn't time out as long as these packets are allowed to continue. However, as soon as the client attempts to access any web page over the tunnel, I get packets dropped on the server side with errors like the following:
Fri Mar 15 20:08:27 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=10 seenFri Mar 15 20:08:28 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=7 seen
Fri Mar 15 20:08:29 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=5 seen
Fri Mar 15 20:08:30 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=9 seen
Fri Mar 15 20:08:31 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=8 seen
Fri Mar 15 20:08:32 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=2 seen
Fri Mar 15 20:08:34 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=13 seen
Fri Mar 15 20:08:38 2019 11e9-475e-04b1a640-b6f1-dda173e0051f/10.101.172.10:65334 IP packet with unknown IP version=7 seen
I'm using the same server and client configs for iOS as I was using when the client was Mac and Windows.
Server configs:
port 1194
proto udp
dev tun
ca /opt/certs/ca-cert.pem
cert /opt/certs/server.pem
key /opt/certs/server-key.pem
dh /opt/certs/dh2048.pem
tls-auth /opt/certs/ta.key 0
server 10.8.0.0 255.255.0.0
keepalive 5 15
verb 3
script-security 3
client-connect "/usr/local/bin/sdp-updown"
client-disconnect "/usr/local/bin/sdp-updown"
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
comp-lzo
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
Client configs:
dev tun
proto udp
remote ... server and port omitted
remote-cert-tls server
key-direction 1
server-poll-timeout 5
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
comp-lzo
... routes omitted
<ca>
... CA omitted
</ca>
<cert>
... cert omitted
</cert>
<key>
... private key omitted
</key>
<tls-auth>
... OpenVPN static key omitted
</tls-auth>
I've tried a number of different settings for cipher and tls-cipher. When those settings are set to values that are supported on both sides I can get connected, but get the same IP packet with unknown IP version error. Obviously when either cipher or tls-cipher isn't supported on either server or client we fail to negotiate TLS and don't get connected at all.
I found a number of troubleshooting forum posts regarding this error and most of them are resolved by setting the compression settings to the same value on both ends. My iOS client build seems to think that it has no ability to perform compression, even though I think I've linked successfully against the LZ4 library. I compiled the LZ4 library for iOS, and included the LZ4=1 when building a dylib for OpenVPN itself. However, when the iOS client connects it reports settings like:
ENV[IV_AUTO_SESS] = 1
ENV[IV_COMP_STUBv2] = 1
ENV[IV_COMP_STUB] = 1
ENV[IV_LZO_STUB] = 1
ENV[IV_PROTO] = 2
ENV[IV_TCPNL] = 1
ENV[IV_NCP] = 2
ENV[IV_PLAT] = ios
ENV[IV_VER] = 3.1.2
I notice that this does not include IV_LZ4, which I take to mean that the client thinks it can't perform compression. That said, even when my configs include disabled compression I get the same results. I tried omitting any compression setting at all, comp-lzo no, compress stub, and compress stub-v2. None of these resulted in any different behavior.
My questions are thus:
What could be the cause of my IP packet with unknown IP version errors when actually sending packets over the data channel?
If what I'm seeing is actually a compression setting error, how do I convince OpenVPN to disable compression entirely? Alternatively, what have I done wrong to link LZ4 into my iOS OpenVPN dylib?
I'm trying to connect from Jenkins (docker container) to a windows server (VM) running a Cygwin sshd. The problem I'm facing is that (seemingly) at random I can or cannot connect. This is both with the 'SSH Plugin' (username/password) and via shell SSH command (key pair).
From Jenkins the debug information tells me:
debug1: connect to address [serverIP] port 22: Connection refused
When it isn't working the sshd log tells me:
debug1: fd 4 clearing O_NONBLOCK
debug1: Forked child 1128.
debug3: send_rexec_state: entering fd = 7 config len 232
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from [clientIP] port 59440 on 0.0.0.0 port 22
Could not write ident string to [clientIP] port 59440
When it is working I get the following in the sshd log:
debug1: fd 4 clearing O_NONBLOCK
debug1: Forked child 1708.
debug3: send_rexec_state: entering fd = 7 config len 232
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from [clientIP] port 56742 on [serverIP] port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.4
Difference I'm seeing is the 0.0.0.0 instead of the serverIP but I cannot find why this is.
I've tried setting up a job that runs every 5 minutes to see if there was a pattern, but I could find none.
On the server I've made a wireshark trace these are the packages I get
Client to server: [SYN]
Client to server: [TCP Out-Of-Order] (same package as previous [SYN])
Server to client: [RST, ACK]
Client to server: [SYN, ACK]
Client to server: [TCP Retransmission] (same package as previous [SYN, ACK])
I'm a bit stumped on the "Could not write ident string to [clientIP]" message and I'm having some trouble finding more information about why this is happening.
Any help on troubleshooting this further or information on why this message is displayed is welcome.
"Connection refused" normally means the server isn't accepting connections to the IP address and port that you requested. The service that you're trying to connect to may not be listening for connections, or it may be listening to a different address and/or port.
"Connection refused" can also be caused by a firewall blocking connections. In your case, given that the service is logging an incoming connection but without the client IP address, my guess is that you have some kind of firewall or malware detection software running on the server, and it's interfering with these connection attempts.
You'll need to access this firewall software, figure out why it's blocking these connections, and configure it to stop interfering.
I have successfully configure freeradius with mysql.
i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = "alice"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
Snoop your generated Accessreq and try to decode the encrypted password using your shared secret with wireshark. Looks like your test client doesnt encode the password correct.
Make sure testing123 is correctly configured on server side.
Am running Nitrogen 2.0.X on Windows 7 Home Premium, HP Pavilion Entertainment PC Laptop.
Nitrogen starts with inets and i have failed to change or dictate the IP address of the webserver.
Once it starts, it tells me to go to my browser and hit http://localhost:8000 in the shell output below:
erl -make
Starting Nitrogen on Inets (http://localhost:8000)...
Eshell V5.8.4 (abort with ^G)
Hitting the link in almost all available browsers shows that page could not be found. When i ask the emulator about the ports, this is its output:
(motv#josh.ekampus.internal)1> inet:i().
Port Module Recv Sent Owner Local Address Foreign Address State
3109 inet6_tcp 0 0 *:8000 *:* ACCEPTING
618 inet_tcp 0 0 *:9543 *:* ACCEPTING
637 inet_tcp 4 19 localhost:9544 localhost:4369 CONNECTED
Port Module Recv Sent Owner Local Address Foreign Address State
ok
(motv#josh.ekampus.internal)2>
Am having a strong thought that inet6_tcp means that its using IPv6 while inet_tcp means IPv4, not very sure about this. But all in all, i cannot connect to my Nitrogen. These below are the running applications
(motv#josh.ekampus.internal)2> application:which_applications().
[{quickstart,"Nitrogen Quickstart",[]},
{inets,"INETS CXC 138 49","5.6"},
{nprocreg,"NProcReg - Simple Erlang Process Registry.",
"0.1"},
{stdlib,"ERTS CXC 138 10","1.17.4"},
{kernel,"ERTS CXC 138 10","2.14.4"}]
(motv#josh.ekampus.internal)3>
Can someone explain why i cannot Reach my Local Nitrogen Framework by just hitting http://localhost:8000 in the browser, given the observations above? And, how can i connect to it from my browser?
Some guesses:
Did you try http://127.0.0.1:8000 ?
If that doesn't work, can you startup erlang with forced ip4 support (i think):
-proto_dist inet_tcp