I'm migrating a functioning freeradius install version 2.2.8 on ubuntu 16.04 LTS to version 3.0.16 on ubuntu 18.04 LTS
I setup daloradius this time.
I've setup my clients
I've setup my users
I deliver DSL and do auth and assign static IP addresses
I need radius to return the Framed-IP-Address attribute if required
This is all in mysql and I need accounting to be stored in mysql also.
So far I'm getting this:
Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test#xxx.xxxx.xx/!yyyyyyyy!] (from client 999.888.777.666 port 268439551 cli xxxxxxadsfad-47:621)
Any suggestions?
Thank you.
G
Related
I don't now where to look for this particular issue anymore. I have gone numerus time through freeradius configuration and configuration on cisco switch, but I am just unable to find the problem.
My enviroment:
Ubuntu 20.04.5 LTS
FreeRADIUS Version 3.0.20
MariaDB 10.6.11
Cisco C2960X switch
Issue:
I have dot1x configured on Cisco C2960X switch.
On Ubuntu I have freeradius v3 up and running.
Freeradius is able to connact to database, where my users are stored.
I am ussing EAP-TTLS/PAP.
Win10 laptop ethernet card (cable) is configured to use EAP-TTLS/PAP
When trying to connect Win10 laptop over the cable, I am asked to put in the user credentials, afterwards I have to accept the certificate and the authentication is in progress.
In the same time, when looking under Freeradius LOG-s, I get "Login OK" for the user, so user is accepted...great.
But on Win10 laptop authentication fails, allthough Freeradius did accept the user.
When DEBUG-ing Freeradius, everything seems OK:
"Login OK: [user#domain.com] (from client sbl-3 port 50320 cli 38-2C-4A-XX-XX-XX via TLS tunnel)"
When DEBUG-ing C2960x switch, I see an error:
"dot1x-packet:[xxxx.xxxx.xxxx, Gi1/0/19] Added username in dot1x"
"dot1x-packet:[xxxx.xxxx.xxxx, Gi1/0/19] Dot1x did not receive any key data"
"dot1x-ev:[xxxx.xxxx.xxxx, Gi1/0/19] Received Authz fail (result: 2) for the client 0x87000405 (xxxx.xxxx.xxxx)"
"dot1x-sm:[xxxx.xxxx.xxxx, Gi1/0/19] Posting_AUTHZ_FAIL on Client 0x87000405"
But the funny thing is, I have another VM set up with freeradius v2, which connects to the same MariaDB as freeradius v3. With no changes made on C2960X switch (port configuration, aaa etc.) except ofcourse to configure radius server to redirect to another VM (freeradius v2), everything works great. I can se "Login OK" under freeradius LOGs, and Win10 laptop is authenticated and ready to use wired connection.
As it looks like, when using Freeradius v3, I have a problem in the last stage (authorization). But if using Freeradius v2, I have no issue and Win10 laptop is authenticated and ready to use wired connection.
I would really appreciate some help if someone ran into same issue.
Kind Regards, Tomaz
I compared freeradius configuration on both VM, for freeradius v2 and freeradius v3
I debuged freeradius
I debbuged C2960x switch
I recorded traffic with WireShark on Win10 laptop
I am new to Freeradius. I configured the freeradius server using container services,
I have installed Freeradius v3.0.21 in Alpine linux.
My container freeradius server is working fine and produce the log. But its missing only one field/attribute "Request-Authenticator = Verified"
in the detail.log. Can anyone please help me on this?
I am unable to identify the error source. I checked the settings dozens of times, I tried out the local and public IPs, I even tried using different web agent versions and I read everything that I could find on the topic (at least that is what it feels like).
Question: Why is my Web Agent unable to login to OpenAM?
Initial situation: I have two docker containers. The first is running a Tomcat server with OpenAM and the second is running an Apache webserver. Both containers are deployed on two different virtual machines. Both machines can reach each other via their public as well as their private IPs and in the docker-compose files 'network_mode: host' is set.
Following this offical-guide I create an agent profile using the AM console with the following specifications:
Agent ID: WebAgent
Agent URL: http://<public_ip_apache_server>:80
Server URL: http://<public_ip_openam_server>:8080/openam
password: password
Within the container running the Apache webserver, I do the following:
Stopping the apache webserver.
Install OpenSSL.
Export /<path>/libcrypto.so and /<path>/libssl.so to LD_LIBRARY_PATH.
Make sure that libc.so.6 is available, and that it supports the GLIBC_2.3 API by running
strings libc.so.6 | grep GLIBC_2 within /usr/lib/x86_64-linux-gnu/.
Creating a password file via echo password > /tmp/pwd.txt followed by chmod 400 /tmp/pwd.txt.
Running the config command for the Web Agent:
/apache24_agent/bin/agentadmin --s "/usr/local/apache2/conf/httpd.conf" \
"http://<public_ip_openam_server>:8080/openam" "http://<public_ip_apache_server>:80" "/" \
"WebAgent" "/tmp/pwd.txt" --changeOwner --acceptLicence
Problem:
The last command always fails with the following output:
OpenAM Web Agent for Apache Server installation.
Validating...
Error validating OpenAM - Agent configuration.
Installation failed.
See installation log /usr/local/apache2/apache24_agent/bin/../log/install_20201227114136.log file for more details. Exiting.
Checking the error log:
2020-12-27 11:41:36 license accepted with --acceptLicence option
2020-12-27 11:41:36 license was accepted earlier
2020-12-27 11:41:36 Found user daemon, uid 1, gid 1
2020-12-27 11:41:36 Found group daemon, gid 1
2020-12-27 11:41:36 OpenSSL library status: <removed for readbility> OpenSSL v1.1.x library support is available
2020-12-27 11:41:36 validating configuration parameters...
2020-12-27 11:41:36 error validating OpenAM agent configuration
agent login to http://<public_ip_openam_server>:8080/openam fails
2020-12-27 11:41:36 installation error
2020-12-27 11:41:36 installation exit
System and software:
OpenAM Version: 14.5.4
Container running Apache Webserver: x86_64 system, Debian
Version Apache: 2.4.46
Web Policy Agent: Platform = Apache, Platform Version = 2.4, Operating System = Linux, Architecture = 64bit, Platform Version = 5.6, Version = 5.6.2.0
OpenSSL Version: v1.1
Are you using Open Identity Platform community version? I'm afraid Web Agent 5.6.2.0 and OpenAM 14.5.4 could be incompatible. Try to use an earlier Web Agent version for example 4.1.1, or switch to OpenIG as an alternative to Web Agent.
There are a couple of useful links below:
https://github.com/OpenIdentityPlatform/OpenAM/wiki/Quick-Start-Guide
https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Add-Authorization-and-Protect-Your-Application-With-OpenAM-and-OpenIG-Stack
I want to force our office users to enter their LDAP credentials when connecting to the WiFi in our office. So I installed FreeRadius as instructed at:
Using FreeIPA and FreeRadius .
Using radtest, I can successfully authenticate against our FreeIPA server using PAP. Moving on I configured a WiFi connection on my Windows 10 laptop to use EAP-TTLS as the authentication method along with selecting PAP as the non-EAP method. Again I can successfully authenticate against our FreeIPA server when connecting to the WiFi AP. But I realize that is not safe since passwords are sent as clear-text.
So next I configured a WiFi connection on my Windows 10 laptop to use PEAP as the authentication method with EAP method of EAP-MSCHAP v2. But now authentication fails. An excerpt from the FreeRadius debug log shows:
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(8) mschap: Creating challenge hash with username: test55
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
I’m struggling to figure out a solution. I have found various configurations of eap, mschap & ldap files online but so far I have not solved my issue.
I’m not sure if I’m asking the right question but is the password hash sent by the Windows client incompatible with the password hash used by FreeIPA?
It turns out mschapv2 is a challenge response protocol, and that does not work with an LDAP bind in the basic configuration of FreeRadius.
However I did find a solution where FreeRadius looks up a user by their LDAP DN, then reads (not bind) the NTHash of the user. From there, FreeRADIUS is able to process the challenge response.
First permissions have to be given to service accounts:
https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
After performing these steps users will need to change their password in order to generate an ipaNTHash.
Then configure FreeRadius to use mschapv2 with FreeIPA:
https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
After completing all the steps described in both links, this radtest cli command should return an Access-Accept response.
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>
I just set up an freeradius server (Version 2.2.5) on an Raspeberian PI with DaloRadius 0.99 web interface. OS = Debian Jessy. I do not use certificates for authentification.
Everythings working fine, I restricted the used authentification types to "PEAP" for 1st authentification and the inner-tunnel (second auth to MSCHAP(V2)).
Now I recognized when I configure a client using PEAP and no inner tunnel Auth method it's although possible to dial in.
I want to restrict the second auth to only accept MSCHAP/MSCHAPV2 and not "none" as auth metohd.