Auth: Login incorrect: [maxx09/<no User-Password attribute>]

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Auth: Login incorrect: [maxx09/<no User-Password attribute>]

givemesam
Hi freeradius community

I have been working hard at making our already wonderful freeradius
implementation also work with some VPN radius functions. A lot of this is a
bit over my head, but i am grasping it as i go. So far, this server config
works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am
getting stuck with IKEv2.

Ideally we can get ikev2 working on all devices, but it does require a lot
of certificate work. I have been able to deal with the cert stuff from
client, to router, and get the router to send the radius request, it comes
back timeout. I tried it with also loading the cert chain in eap.conf but
it didnt make a difference. i saw the <no User-Password attribute> in the
radius.log either way.

I think the issue is with something with the password being sent from the
router, maybe it is hashed, maybe it is not sent, but this is what i see in
the radius.log:

Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no
User-Password attribute>] (from client wificpa port 0 cli 444.555.666.777)

Any idea where i should dig, or what i should do to see why we see
user123/<no User-Password attribute>?
Is this the app not sending it, the router not sending it, or it arriving
in some other attribute that radius is not listening for? (hashed,
something specific for EAP?)

I found that specifying the cert chain didnt make a difference when adding
them in eap.conf, but here are some of those configs, and I will also
include a -X:

THANK YOU!

Sam

##############################################################################################################################################

I tried to trim this down some for readability and privacy... (in my edits,
i changed all 'wificpa' to 'complexcode' knowing that wificpa is also use
in other areas, not as a secret. please forgive me for that.)

root@cp2dev:~# freeradius -X
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Jul 26
2017 at 15:30:42
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/exec
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sqlcounter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/custom.rad
main {
        user = "freerad"
        group = "freerad"
        allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/freeradius/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = yes
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        require_message_authenticator = no
        secret = "complexcode"
        shortname = "complexcode"
 }
 client 0.0.0.0/0 {
        require_message_authenticator = no
        secret = "complexcode"
        shortname = "complexcode"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
        allow_retry = yes
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
        default_eap_type = "md5"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/etc/freeradius/certs"
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server.key"
        certificate_file = "/etc/freeradius/certs/server.pem"
        CA_file = "/etc/freeradius/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/freeradius/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/freeradius/certs/bootstrap"
        ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
  preprocess {
        huntgroups = "/etc/freeradius/huntgroups"
        hints = "/etc/freeradius/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
  sql {....removed...
  }
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11273
rlm_sqlcounter: Check attribute Max-All-Session is number 11274
rlm_sqlcounter: Current Time: 1584839510 [2020-03-22 01:11:50], Next reset
0 [2020-03-22 01:00:00]
rlm_sqlcounter: Current Time: 1584839510 [2020-03-22 01:11:50], Prev reset
0 [2020-03-22 01:00:00]
 Module: Instantiating module "dailycounter" from file
/etc/freeradius/sqlcounter.conf
  sqlcounter dailycounter {
        counter-name = "Daily-Session-Time"
        check-name = "Max-Daily-Session"
        reply-name = "Session-Timeout"
        key = "User-Name"
        sqlmod-inst = "sqlcca3"
        query = "...removed"
        reset = "daily"
        safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11275
rlm_sqlcounter: Check attribute Max-Daily-Session is number 11276
rlm_sqlcounter: Current Time: 1584839510 [2020-03-22 01:11:50], Next reset
1584921600 [2020-03-23 00:00:00]
rlm_sqlcounter: Current Time: 1584839510 [2020-03-22 01:11:50], Prev reset
1584835200 [2020-03-22 00:00:00]
 Module: Instantiating module "monthlycounter" from file
/etc/freeradius/sqlcounter.conf
  sqlcounter monthlycounter {
        counter-name = "Monthly-Session-Time"
        check-name = "Max-Monthly-Session"
        reply-name = "Session-Timeout"
        key = "User-Name"
        sqlmod-inst = "sqlcca3"
        query = "...removed"
        reset = "monthly"
        safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 11277
rlm_sqlcounter: Check attribute Max-Monthly-Session is number 11278
rlm_sqlcounter: Current Time: 1584839510 [2020-03-22 01:11:50], Next reset
1585699200 [2020-04-01 00:00:00]
rlm_sqlcounter: Current Time: 1584839510 [2020-03-22 01:11:50], Prev reset
1583020800 [2020-03-01 00:00:00]
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file
/etc/freeradius/modules/files
  files {
        usersfile = "/etc/freeradius/users"
        acctusersfile = "/etc/freeradius/acct_users"
        preproxy_usersfile = "/etc/freeradius/preproxy_users"
        compat = "no"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
  detail {
        detailfile = "...removed"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
        radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
  radutmp {
        filename = "/var/log/freeradius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Instantiating module "sradutmp" from file
/etc/freeradius/modules/sradutmp
  radutmp sradutmp {
        filename = "/var/log/freeradius/sradutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 420
        callerid = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port
1812
root@cp2dev:~#




##############################################################################################################################################


# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the "eap2" module.
#  See experimental.conf for documentation.
#
eap {
#  Invoke the default supported EAP type when
#  EAP-Identity response is received.
#
#  The incoming EAP messages DO NOT specify which EAP
#  type they will be using, so it MUST be set here.
#
#  For now, only one default EAP type may be used at a time.
#
#  If the EAP-Type attribute is set by another module,
#  then that EAP type takes precedence over the
#  default type configured here.
#
default_eap_type = tls

#  A list is maintained to correlate EAP-Response
#  packets with EAP-Request packets.  After a
#  configurable length of time, entries in the list
#  expire, and are deleted.
#
timer_expire     = 60

#  There are many EAP types, but the server has support
#  for only a limited subset.  If the server receives
#  a request for an EAP type it does not support, then
#  it normally rejects the request.  By setting this
#  configuration to "yes", you can tell the server to
#  instead keep processing the request.  Another module
#  MUST then be configured to proxy the request to
#  another RADIUS server which supports that EAP type.
#
#  If another module is NOT configured to handle the
#  request, then the request will still end up being
#  rejected.
ignore_unknown_eap_types = no

# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no

#
#  Help prevent DoS attacks by limiting the number of
#  sessions that the server is tracking.  Most systems
#  can handle ~30 EAP sessions/s, so the default limit
#  of 4096 should be OK.
max_sessions = 4096

# Supported EAP-types

#
#  We do NOT recommend using EAP-MD5 authentication
#  for wireless connections.  It is insecure, and does
#  not provide for dynamic WEP keys.
#
md5 {
}

# Cisco LEAP
#
#  We do not recommend using LEAP in new deployments.  See:
#  http://www.securiteam.com/tools/5TP012ACKE.html
#
#  Cisco LEAP uses the MS-CHAP algorithm (but not
#  the MS-CHAP attributes) to perform it's authentication.
#
#  As a result, LEAP *requires* access to the plain-text
#  User-Password, or the NT-Password attributes.
#  'System' authentication is impossible with LEAP.
#
leap {
}

#  Generic Token Card.
#
#  Currently, this is only permitted inside of EAP-TTLS,
#  or EAP-PEAP.  The module "challenges" the user with
#  text, and the response from the user is taken to be
#  the User-Password.
#
#  Proxying the tunneled EAP-GTC session is a bad idea,
#  the users password will go over the wire in plain-text,
#  for anyone to see.
#
gtc {
#  The default challenge, which many clients
#  ignore..
#challenge = "Password: "

#  The plain-text response which comes back
#  is put into a User-Password attribute,
#  and passed to another module for
#  authentication.  This allows the EAP-GTC
#  response to be checked against plain-text,
#  or crypt'd passwords.
#
#  If you say "Local" instead of "PAP", then
#  the module will look for a User-Password
#  configured for the request, and do the
#  authentication itself.
#
auth_type = PAP
}

## EAP-TLS
#
#  See raddb/certs/README for additional comments
#  on certificates.
#
#  If OpenSSL was not found at the time the server was
#  built, the "tls", "ttls", and "peap" sections will
#  be ignored.
#
#  Otherwise, when the server first starts in debugging
#  mode, test certificates will be created.  See the
#  "make_cert_command" below for details, and the README
#  file in raddb/certs
#
#  These test certificates SHOULD NOT be used in a normal
#  deployment.  They are created only to make it easier
#  to install the server, and to perform some simple
#  tests with EAP-TLS, TTLS, or PEAP.
#
#  See also:
#
#  http://www.dslreports.com/forum/remark,9286052~mode=flat
#
#  Note that you should NOT use a globally known CA here!
#  e.g. using a Verisign cert as a "known CA" means that
#  ANYONE who has a certificate signed by them can
#  authenticate via EAP-TLS!  This is likely not what you want.
tls {
#
#  These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs

##private_key_password = complexkey
##private_key_file = ${certdir}/server.key
private_key_password = serverpasscode
private_key_file = ${certdir}/server_key.key

#  If Private key & Certificate are located in
#  the same file, then private_key_file &
#  certificate_file must contain the same file
#  name.
#
#  If CA_file (below) is not used, then the
#  certificate_file below MUST include not
#  only the server certificate, but ALSO all
#  of the CA certificates used to sign the
#  server certificate.
##certificate_file = ${certdir}/server.pem
certificate_file = ${certdir}/server_new.pem

#  Trusted Root CA list
#
#  ALL of the CA's in this list will be trusted
#  to issue client certificates for authentication.
#
#  In general, you should use self-signed
#  certificates for 802.1x (EAP) authentication.
#  In that case, this CA file should contain
#  *one* CA certificate.
#
#  This parameter is used only for EAP-TLS,
#  when you issue client certificates.  If you do
#  not use client certificates, and you do not want
#  to permit EAP-TLS authentication, then delete
#  this configuration item.
##CA_file = ${cadir}/ca.pem
CA_file = ${cadir}/root_ca.pem

#
#  For DH cipher suites to work, you have to
#  run OpenSSL to create the DH file first:
#
#   openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = /dev/urandom

#
#  This can never exceed the size of a RADIUS
#  packet (4096 bytes), and is preferably half
#  that, to accomodate other attributes in
#  RADIUS packet.  On most APs the MAX packet
#  length is configured between 1500 - 1600
#  In these cases, fragment size should be
#  1024 or less.
#
# fragment_size = 1024

#  include_length is a flag which is
#  by default set to yes If set to
#  yes, Total Length of the message is
#  included in EVERY packet we send.
#  If set to no, Total Length of the
#  message is included ONLY in the
#  First packet of a fragment series.
#
# include_length = yes

#  Check the Certificate Revocation List
#
#  1) Copy CA certificates and CRLs to same directory.
#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
#    'c_rehash' is OpenSSL's command.
#  3) uncomment the line below.
#  5) Restart radiusd
# check_crl = yes
CA_path = ${cadir}

      #
      #  If check_cert_issuer is set, the value will
      #  be checked against the DN of the issuer in
      #  the client certificate.  If the values do not
      #  match, the cerficate verification will fail,
      #  rejecting the user.
      #
      #  In 2.1.10 and later, this check can be done
      #  more generally by checking the value of the
      #  TLS-Client-Cert-Issuer attribute.  This check
      #  can be done via any mechanism you choose.
      #
#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

      #
      #  If check_cert_cn is set, the value will
      #  be xlat'ed and checked against the CN
      #  in the client certificate.  If the values
      #  do not match, the certificate verification
      #  will fail rejecting the user.
      #
      #  This check is done only if the previous
      #  "check_cert_issuer" is not set, or if
      #  the check succeeds.
      #
      #  In 2.1.10 and later, this check can be done
      #  more generally by checking the value of the
      #  TLS-Client-Cert-CN attribute.  This check
      #  can be done via any mechanism you choose.
      #
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites.  The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"

#

# This command creates the initial "snake oil"
# certificates when the server is run as root,
# and via "radiusd -X".
#
# As of 2.1.11, it *also* checks the server
# certificate for validity, including expiration.
# This means that radiusd will refuse to start
# when the certificate has expired.  The alternative
# is to have the 802.1X clients refuse to connect
# when they discover the certificate has expired.
#
# Debugging client issues is hard, so it's better
# for the server to print out an error message,
# and refuse to start.
#
make_cert_command = "${certdir}/bootstrap"

#
#  Elliptical cryptography configuration
#
#  Only for OpenSSL >= 0.9.8.f
#
ecdh_curve = "prime256v1"

#
#  Session resumption / fast reauthentication
#  cache.
#
#  The cache contains the following information:
#
#  session Id - unique identifier, managed by SSL
#  User-Name  - from the Access-Accept
#  Stripped-User-Name - from the Access-Request
#  Cached-Session-Policy - from the Access-Accept
#
#  The "Cached-Session-Policy" is the name of a
#  policy which should be applied to the cached
#  session.  This policy can be used to assign
#  VLANs, IP addresses, etc.  It serves as a useful
#  way to re-apply the policy from the original
#  Access-Accept to the subsequent Access-Accept
#  for the cached session.
#
#  On session resumption, these attributes are
#  copied from the cache, and placed into the
#  reply list.
#
#  You probably also want "use_tunneled_reply = yes"
#  when using fast session resumption.
#
cache {
     #
     #  Enable it.  The default is "no".
     #  Deleting the entire "cache" subsection
     #  Also disables caching.
     #
     #  You can disallow resumption for a
     #  particular user by adding the following
     #  attribute to the control item list:
     #
     # Allow-Session-Resumption = No
     #
     #  If "enable = no" below, you CANNOT
     #  enable resumption for just one user
     #  by setting the above attribute to "yes".
     #
     enable = no

     #
     #  Lifetime of the cached entries, in hours.
     #  The sessions will be deleted after this
     #  time.
     #
     lifetime = 24 # hours

     #
     #  The maximum number of entries in the
     #  cache.  Set to "0" for "infinite".
     #
     #  This could be set to the number of users
     #  who are logged in... which can be a LOT.
     #
     max_entries = 255
}

#
#  As of version 2.1.10, client certificates can be
#  validated via an external command.  This allows
#  dynamic CRLs or OCSP to be used.
#
#  This configuration is commented out in the
#  default configuration.  Uncomment it, and configure
#  the correct paths below to enable it.
#
verify {
#  A temporary directory where the client
#  certificates are stored.  This directory
#  MUST be owned by the UID of the server,
#  and MUST not be accessible by any other
#  users.  When the server starts, it will do
#  "chmod go-rwx" on the directory, for
#  security reasons.  The directory MUST
#  exist when the server starts.
#
#  You should also delete all of the files
#  in the directory when the server starts.
#     tmpdir = /tmp/radiusd

#  The command used to verify the client cert.
#  We recommend using the OpenSSL command-line
#  tool.
#
#  The ${..CA_path} text is a reference to
#  the CA_path variable defined above.
#
#  The %{TLS-Client-Cert-Filename} is the name
#  of the temporary file containing the cert
#  in PEM format.  This file is automatically
#  deleted by the server when the command
#  returns.
#     client = "/path/to/openssl verify -CApath ${..CA_path}
%{TLS-Client-Cert-Filename}"
}

#
#  OCSP Configuration
#  Certificates can be verified against an OCSP
#  Responder. This makes it possible to immediately
#  revoke certificates without the distribution of
#  new Certificate Revokation Lists (CRLs).
#
ocsp {
     #
     #  Enable it.  The default is "no".
     #  Deleting the entire "ocsp" subsection
     #  Also disables ocsp checking
     #
     enable = no

     #
     #  The OCSP Responder URL can be automatically
     #  extracted from the certificate in question.
     #  To override the OCSP Responder URL set
     #  "override_cert_url = yes".
     #
     override_cert_url = yes

     #
     #  If the OCSP Responder address is not
     #  extracted from the certificate, the
     #  URL can be defined here.

     #
     #  Limitation: Currently the HTTP
     #  Request is not sending the "Host: "
     #  information to the web-server.  This
     #  can be a problem if the OCSP
     #  Responder is running as a vhost.
     #
     url = "http://127.0.0.1/ocsp/"
}
}

#  The TTLS module implements the EAP-TTLS protocol,
#  which can be described as EAP inside of Diameter,
#  inside of TLS, inside of EAP, inside of RADIUS...
#
#  Surprisingly, it works quite well.
#
#  The TTLS module needs the TLS module to be installed
#  and configured, in order to use the TLS tunnel
#  inside of the EAP packet.  You will still need to
#  configure the TLS module, even if you do not want
#  to deploy EAP-TLS in your network.  Users will not
#  be able to request EAP-TLS, as it requires them to
#  have a client certificate.  EAP-TTLS does not
#  require a client certificate.
#
#  You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
#  in the control items for a request.
#
ttls {
#  The tunneled EAP session needs a default
#  EAP type which is separate from the one for
#  the non-tunneled EAP module.  Inside of the
#  TTLS tunnel, we recommend using EAP-MD5.
#  If the request does not contain an EAP
#  conversation, then this configuration entry
#  is ignored.
default_eap_type = md5

#  The tunneled authentication request does
#  not usually contain useful attributes
#  like 'Calling-Station-Id', etc.  These
#  attributes are outside of the tunnel,
#  and normally unavailable to the tunneled
#  authentication request.
#
#  By setting this configuration entry to
#  'yes', any attribute which NOT in the
#  tunneled authentication request, but
#  which IS available outside of the tunnel,
#  is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no

#  The reply attributes sent to the NAS are
#  usually based on the name of the user
#  'outside' of the tunnel (usually
#  'anonymous').  If you want to send the
#  reply attributes based on the user name
#  inside of the tunnel, then set this
#  configuration entry to 'yes', and the reply
#  to the NAS will be taken from the reply to
#  the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no

#
#  The inner tunneled request can be sent
#  through a virtual server constructed
#  specifically for this purpose.
#
#  If this entry is commented out, the inner
#  tunneled request will be sent through
#  the virtual server that processed the
#  outer requests.
#
virtual_server = "inner-tunnel"

#  This has the same meaning as the
#  same field in the "tls" module, above.
#  The default value here is "yes".
# include_length = yes
}

##################################################
#
#  !!!!! WARNINGS for Windows compatibility  !!!!!
#
##################################################
#
#  If you see the server send an Access-Challenge,
#  and the client never sends another Access-Request,
#  then
#
# STOP!
#
#  The server certificate has to have special OID's
#  in it, or else the Microsoft clients will silently
#  fail.  See the "scripts/xpextensions" file for
#  details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
#  For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
#
#  If is still doesn't work, and you're using Samba,
#  you may be encountering a Samba bug.  See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
#  Note that we do not necessarily agree with their
#  explanation... but the fix does appear to work.
#
##################################################

#
#  The tunneled EAP session needs a default EAP type
#  which is separate from the one for the non-tunneled
#  EAP module.  Inside of the TLS/PEAP tunnel, we
#  recommend using EAP-MS-CHAPv2.
#
#  The PEAP module needs the TLS module to be installed
#  and configured, in order to use the TLS tunnel
#  inside of the EAP packet.  You will still need to
#  configure the TLS module, even if you do not want
#  to deploy EAP-TLS in your network.  Users will not
#  be able to request EAP-TLS, as it requires them to
#  have a client certificate.  EAP-PEAP does not
#  require a client certificate.
#
#
#  You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
#  in the control items for a request.
#
peap {
#  The tunneled EAP session needs a default
#  EAP type which is separate from the one for
#  the non-tunneled EAP module.  Inside of the
#  PEAP tunnel, we recommend using MS-CHAPv2,
#  as that is the default type supported by
#  Windows clients.
default_eap_type = mschapv2

#  the PEAP module also has these configuration
#  items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no

#  When the tunneled session is proxied, the
#  home server may not understand EAP-MSCHAP-V2.
#  Set this entry to "no" to proxy the tunneled
#  EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes

#
#  The inner tunneled request can be sent
#  through a virtual server constructed
#  specifically for this purpose.
#
#  If this entry is commented out, the inner
#  tunneled request will be sent through
#  the virtual server that processed the
#  outer requests.
#
virtual_server = "inner-tunnel"

# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes

#
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
}

#
#  This takes no configuration.
#
#  Note that it is the EAP MS-CHAPv2 sub-module, not
#  the main 'mschap' module.
#
#  Note also that in order for this sub-module to work,
#  the main 'mschap' module MUST ALSO be configured.
#
#  This module is the *Microsoft* implementation of MS-CHAPv2
#  in EAP.  There is another (incompatible) implementation
#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
#  currently support.
#
mschapv2 {
#  Prior to version 2.1.11, the module never
#  sent the MS-CHAP-Error message to the
#  client.  This worked, but it had issues
#  when the cached password was wrong.  The
#  server *should* send "E=691 R=0" to the
#  client, which tells it to prompt the user
#  for a new password.
#
#  The default is to behave as in 2.1.10 and
#  earlier, which is known to work.  If you
#  set "send_error = yes", then the error
#  message will be sent back to the client.
#  This *may* help some clients work better,
#  but *may* also cause other clients to stop
#  working.
#
# send_error = no
}
}



#####################################################################################################################################################



Android StrongSwan verifies all the cert stuff is ok, but errors and logs:
N(Auth_FAILED)

From router log:
Mar/21/2020 19:10:27 radius,debug resending 55:3f
Mar/21/2020 19:10:27 radius,debug,packet sending Access-Request with id 62
to 162.220.55.231:1812
Mar/21/2020 19:10:27 radius,debug,packet     Signature =
0xa5bbb251dc2b562e4dabc73c2e1a9763
Mar/21/2020 19:10:27 radius,debug,packet     User-Name = "user123"
Mar/21/2020 19:10:27 radius,debug,packet     Called-Station-Id =
"888.777.666.555"
Mar/21/2020 19:10:27 radius,debug,packet     Calling-Station-Id =
"444.555.666.777"
Mar/21/2020 19:10:27 radius,debug,packet     NAS-Port-Id = 0x0000000d
Mar/21/2020 19:10:27 radius,debug,packet     NAS-Port-Type = 5
Mar/21/2020 19:10:27 radius,debug,packet     Service-Type = 2
Mar/21/2020 19:10:27 radius,debug,packet     Event-Timestamp = 1584835827
Mar/21/2020 19:10:27 radius,debug,packet     Framed-MTU = 1400
Mar/21/2020 19:10:27 radius,debug,packet     EAP-Message =
0x0200000b016d6178783039
Mar/21/2020 19:10:27 radius,debug,packet     Message-Authenticator =
0x661158da6446c07da84cdb95d7ecb0bc
Mar/21/2020 19:10:27 radius,debug,packet     NAS-Identifier = "server01"
Mar/21/2020 19:10:27 radius,debug,packet     NAS-IP-Address =
888.777.666.555
Mar/21/2020 19:10:27 radius,debug resending 55:3f
Mar/21/2020 19:10:27 radius,debug,packet sending Access-Request with id 62
to 162.220.55.231:1812
Mar/21/2020 19:10:27 radius,debug,packet     Signature =
0xa5bbb251dc2b562e4dabc73c2e1a9763
Mar/21/2020 19:10:27 radius,debug,packet     User-Name = "user123"
Mar/21/2020 19:10:27 radius,debug,packet     Called-Station-Id =
"888.777.666.555"
Mar/21/2020 19:10:27 radius,debug,packet     Calling-Station-Id =
"444.555.666.777"
Mar/21/2020 19:10:27 radius,debug,packet     NAS-Port-Id = 0x0000000d
Mar/21/2020 19:10:27 radius,debug,packet     NAS-Port-Type = 5
Mar/21/2020 19:10:27 radius,debug,packet     Service-Type = 2
Mar/21/2020 19:10:27 radius,debug,packet     Event-Timestamp = 1584835827
Mar/21/2020 19:10:27 radius,debug,packet     Framed-MTU = 1400
Mar/21/2020 19:10:27 radius,debug,packet     EAP-Message =
0x0200000b016d6178783039
Mar/21/2020 19:10:27 radius,debug,packet     Message-Authenticator =
0x661158da6446c07da84cdb95d7ecb0bc
Mar/21/2020 19:10:27 radius,debug,packet     NAS-Identifier = "server01"
Mar/21/2020 19:10:27 radius,debug,packet     NAS-IP-Address =
888.777.666.555
Mar/21/2020 19:10:28 radius,debug timeout for 55:3f
Mar/21/2020 19:10:28 ipsec,error radius timeout
Mar/21/2020 19:10:28 ipsec reply notify: AUTHENTICATION_FAILED
Mar/21/2020 19:10:28 ipsec adding notify: AUTHENTICATION_FAILED
Mar/21/2020 19:10:28 ipsec,debug => (size 0x8)
Mar/21/2020 19:10:28 ipsec,debug 00000008 00000018
Mar/21/2020 19:10:28 ipsec <- ike2 reply, exchange: AUTH:2
444.555.666.777[40517]
Mar/21/2020 19:10:28 ipsec,debug,packet => outgoing plain packet (size 0x24)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Alan DeKok-2
On Mar 21, 2020, at 9:23 PM, Sam T <[hidden email]> wrote:

>
> I have been working hard at making our already wonderful freeradius
> implementation also work with some VPN radius functions. A lot of this is a
> bit over my head, but i am grasping it as i go. So far, this server config
> works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am
> getting stuck with IKEv2.
>
> Ideally we can get ikev2 working on all devices, but it does require a lot
> of certificate work. I have been able to deal with the cert stuff from
> client, to router, and get the router to send the radius request, it comes
> back timeout. I tried it with also loading the cert chain in eap.conf but
> it didnt make a difference. i saw the <no User-Password attribute> in the
> radius.log either way.

  And what does the debug log say?

> I think the issue is with something with the password being sent from the
> router, maybe it is hashed, maybe it is not sent, but this is what i see in
> the radius.log:
>
> Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no
> User-Password attribute>] (from client wificpa port 0 cli 444.555.666.777)
>
> Any idea where i should dig, or what i should do to see why we see
> user123/<no User-Password attribute>?

  The debug output?

  Read http://wiki.freeradius.org/list-help

> Is this the app not sending it, the router not sending it, or it arriving
> in some other attribute that radius is not listening for? (hashed,
> something specific for EAP?)

  If it's EAP, then there may not be a User-Password.  Again... see the debug log for more information.


> I found that specifying the cert chain didnt make a difference when adding
> them in eap.conf, but here are some of those configs, and I will also
> include a -X:

  Read http://wiki.freeradius.org/list-help

  We do NOT need to see configuration files.  We DO need to see "radiusd -X" where it RECEIVES PACKETS.  We do NOT need to see a debug output ending in:

> Failed binding to authentication address * port 1812: Address already in use
> /etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port
> 1812

  That does not help at all.

> Android StrongSwan verifies all the cert stuff is ok, but errors and logs:
> N(Auth_FAILED)
>
> From router log:

  You cannot debug a server issue by looking at the client logs.

  All of this is *extensively* documented.  Follow the documentation.  Post the information that the documentation says we need.  Do NOT post random other things that the documentation says we do NOT need.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Auth: Login incorrect: [maxx09/<no User-Password attribute>]

givemesam
Thank you for the advice.

What you are trying to do: Get radius to work with mikrotik ikev2
authorization / client has self signed CA cert, Server has signed server +
CA cert

   - why you are trying to do it: to add ikev2 radius auth while also
   supporting wifi authorization (which is working great)
   - what you expect the server to do: to accept user pass from mikrotik,
   and provide authorization reply w/ radreply attributes
   - what the server does instead (i.e. debug output). see output

(my previous submission ran freeradius -X on top of a running server, this
time i followed the instructions, here is 1 clean process of the ikev2
request)

rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
length=143
User-Name = "maxx09"
Called-Station-Id = "444.555.666.777"
Calling-Station-Id = "222.333.444.555"
NAS-Port-Id = "\000\000\000\r"
NAS-Port-Type = Virtual
Service-Type = Framed-User
Event-Timestamp = "Mar 22 2020 16:54:39 UTC"
Framed-MTU = 1400
EAP-Message = 0x0200000b016d6178783039
Message-Authenticator = 0xa0d6653f0433fd6aaba395e394bb7def
NAS-Identifier = "router01"
NAS-IP-Address = 45.63.66.220
# Executing section authorize from file
/etc/freeradius/sites-enabled/server01.rad
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "maxx09", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> maxx09
[sql] sql_set_user escaped user --> 'maxx09'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = REPLACE('%{SQL-User-Name}',':','-') AND
ExpDate >= now()          ORDER BY id -> SELECT id, UserName, Attribute,
Value, op           FROM radcheck           WHERE Username =
REPLACE('maxx09',':','-') AND ExpDate >= now()          ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName,
REPLACE(Attribute,'Max-Octets','ChilliSpot-Max-Total-Octets') AS Attribute,
Value, REPLACE(op,':=','=') AS op           FROM radreply           WHERE
Username = REPLACE('%{SQL-User-Name}',':','-')           ORDER BY id ->
SELECT id, UserName,
REPLACE(Attribute,'Max-Octets','ChilliSpot-Max-Total-Octets') AS Attribute,
Value, REPLACE(op,':=','=') AS op           FROM radreply           WHERE
Username = REPLACE('maxx09',':','-')           ORDER BY id
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName=REPLACE('%{SQL-User-Name}',':','-') -> SELECT GroupName FROM
usergroup WHERE UserName=REPLACE('maxx09',':','-')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Login incorrect: [maxx09/<no User-Password attribute>] (from client wificpa
port 0 cli 222.333.444.555)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
length=143
Waiting to send Access-Reject to client wificpa port 40641 - ID: 66
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
length=143
Waiting to send Access-Reject to client wificpa port 40641 - ID: 66
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 66 to 45.63.66.220 port 40641
WISPr-Bandwidth-Max-Up = 200000000
WISPr-Bandwidth-Max-Down = 200000000
Acct-Interim-Interval = 300
Session-Timeout = 90000
Idle-Timeout = 90000
Mikrotik-Rate-Limit = ""
WISPr-Session-Terminate-Time = "2021-03-31T08:00:00+00:00"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 66 with timestamp +16
Ready to process requests.



i ran one with non EAP, and it still gave this warning block, but it
authorized, i think the issue is the password is not being sent? or its
hashed somehow? (is that what EAP-message is?)
this one is not ikev2.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
Login OK: [auth00/000000] (from client wificpa port 0)

On Sun, Mar 22, 2020 at 6:00 AM Alan DeKok <[hidden email]>
wrote:

> On Mar 21, 2020, at 9:23 PM, Sam T <[hidden email]> wrote:
> >
> > I have been working hard at making our already wonderful freeradius
> > implementation also work with some VPN radius functions. A lot of this
> is a
> > bit over my head, but i am grasping it as i go. So far, this server
> config
> > works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am
> > getting stuck with IKEv2.
> >
> > Ideally we can get ikev2 working on all devices, but it does require a
> lot
> > of certificate work. I have been able to deal with the cert stuff from
> > client, to router, and get the router to send the radius request, it
> comes
> > back timeout. I tried it with also loading the cert chain in eap.conf but
> > it didnt make a difference. i saw the <no User-Password attribute> in the
> > radius.log either way.
>
>   And what does the debug log say?
>
> > I think the issue is with something with the password being sent from the
> > router, maybe it is hashed, maybe it is not sent, but this is what i see
> in
> > the radius.log:
> >
> > Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no
> > User-Password attribute>] (from client wificpa port 0 cli
> 444.555.666.777)
> >
> > Any idea where i should dig, or what i should do to see why we see
> > user123/<no User-Password attribute>?
>
>   The debug output?
>
>   Read http://wiki.freeradius.org/list-help
>
> > Is this the app not sending it, the router not sending it, or it arriving
> > in some other attribute that radius is not listening for? (hashed,
> > something specific for EAP?)
>
>   If it's EAP, then there may not be a User-Password.  Again... see the
> debug log for more information.
>
>
> > I found that specifying the cert chain didnt make a difference when
> adding
> > them in eap.conf, but here are some of those configs, and I will also
> > include a -X:
>
>   Read http://wiki.freeradius.org/list-help
>
>   We do NOT need to see configuration files.  We DO need to see "radiusd
> -X" where it RECEIVES PACKETS.  We do NOT need to see a debug output ending
> in:
>
> > Failed binding to authentication address * port 1812: Address already in
> use
> > /etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port
> > 1812
>
>   That does not help at all.
>
> > Android StrongSwan verifies all the cert stuff is ok, but errors and
> logs:
> > N(Auth_FAILED)
> >
> > From router log:
>
>   You cannot debug a server issue by looking at the client logs.
>
>   All of this is *extensively* documented.  Follow the documentation.
> Post the information that the documentation says we need.  Do NOT post
> random other things that the documentation says we do NOT need.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Alan DeKok-2
On Mar 22, 2020, at 1:07 PM, Sam T <[hidden email]> wrote:

>
> What you are trying to do: Get radius to work with mikrotik ikev2
> authorization / client has self signed CA cert, Server has signed server +
> CA cert
>
>   - why you are trying to do it: to add ikev2 radius auth while also
>   supporting wifi authorization (which is working great)
>   - what you expect the server to do: to accept user pass from mikrotik,
>   and provide authorization reply w/ radreply attributes
>   - what the server does instead (i.e. debug output). see output
>
> (my previous submission ran freeradius -X on top of a running server, this
> time i followed the instructions, here is 1 clean process of the ikev2
> request)
>
> rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
> length=143
> User-Name = "maxx09"
> Called-Station-Id = "444.555.666.777"
> Calling-Station-Id = "222.333.444.555"
> NAS-Port-Id = "\000\000\000\r"
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> Event-Timestamp = "Mar 22 2020 16:54:39 UTC"
> Framed-MTU = 1400
> EAP-Message = 0x0200000b016d6178783039

  It's EAP, which means that there is likely no User-Password *ever* in the request.

> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with Cleartext-Password.
> !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good"
> !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password.
> !!!

  Please follow that advice.  The "known good" password should be in Cleartext-Password.  Putting it into User-Password has been deprecated for 15+ years.

> Cannot perform authentication.
> Failed to authenticate the user.

  Because the user is doing EAP, and you deleted the "eap" module from the "authorize" section.

  The default configuration works.  Start with that, and make small changes, in order to get what you want.

  If you delete massive amounts of things from the default configuration, you are very likely to break something.  As has been done here.

  The EAP module does EAP authentication.  You MUST configure the EAP module in order for this to work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Auth: Login incorrect: [maxx09/<no User-Password attribute>]

givemesam
Thank you for that. Your right. I did not compile this freeradius server,
so im working with something that has been modded heavily. But i did get in
there, and add eap to authorize. that got it going. i loaded in eap.conf
with the right mods too (changed md5 to tls).
After reviewing the debug output, i think the router was sending the
password inside "EAP-Message" or somehow mschapv2 is coming in as
EAP-message? OR mikrotik is trying to pull a client cert from radius. im
not sure....

this is after putting eap in authorize, and modding the eap.conf to point
to the certs and md5>tls

my desired goal is to get user/pass to work through EAP, with no client
certs. im not sure it is possible, but each reply i get from you, and then
research more, gets me a few steps closer. i also wrote mikrotik to see if
their setup is passing the password through EAP message, or their ignoring
it, and the EAP-radius is designed for cert only, no passwords. but maybe
you can tell when looking at the cert error below.

Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

   1. Executing group from file /etc/freeradius/sites-enabled/server01.rad
   +- entering group authenticate {...}

   [eap] Request found, released from the list
   [eap] EAP/tls
   [eap] processing type tls
   [tls] Authenticate
   [tls] processing EAP-TLS
   TLS Length 141
   [tls] Length Included
   [tls] eaptls_verify returned 11
   [tls] <<< TLS 1.0 Handshake [length 0007], Certificate
   [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
   TLS Alert write:fatal:handshake failure
   TLS_accept: error in SSLv3 read client certificate B
   rlm_eap: SSL error error:140890C7:SSL
   routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
   SSL: SSL_read failed in a system call (-1), TLS session fails.
   TLS receive handshake failed during operation
   [tls] eaptls_process returned 4
   [eap] Handler failed in EAP/tls
   [eap] Failed in EAP select
   ++[eap] returns invalid
   Failed to authenticate the user.
   Login incorrect (TLS Alert write:fatal:handshake failure): [maxx09/<via
   Auth-Type = EAP>] (from client wificpa port 0 cli 44.55.66.77)


On Sun, Mar 22, 2020 at 12:55 PM Alan DeKok <[hidden email]>
wrote:

> On Mar 22, 2020, at 1:07 PM, Sam T <[hidden email]> wrote:
> >
> > What you are trying to do: Get radius to work with mikrotik ikev2
> > authorization / client has self signed CA cert, Server has signed server
> +
> > CA cert
> >
> >   - why you are trying to do it: to add ikev2 radius auth while also
> >   supporting wifi authorization (which is working great)
> >   - what you expect the server to do: to accept user pass from mikrotik,
> >   and provide authorization reply w/ radreply attributes
> >   - what the server does instead (i.e. debug output). see output
> >
> > (my previous submission ran freeradius -X on top of a running server,
> this
> > time i followed the instructions, here is 1 clean process of the ikev2
> > request)
> >
> > rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
> > length=143
> > User-Name = "maxx09"
> > Called-Station-Id = "444.555.666.777"
> > Calling-Station-Id = "222.333.444.555"
> > NAS-Port-Id = "\000\000\000\r"
> > NAS-Port-Type = Virtual
> > Service-Type = Framed-User
> > Event-Timestamp = "Mar 22 2020 16:54:39 UTC"
> > Framed-MTU = 1400
> > EAP-Message = 0x0200000b016d6178783039
>
>   It's EAP, which means that there is likely no User-Password *ever* in
> the request.
>
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!!    Replacing User-Password in config items with Cleartext-Password.
> > !!!
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!! Please update your configuration so that the "known good"
> > !!!
> > !!! clear text password is in Cleartext-Password, and not in
> User-Password.
> > !!!
>
>   Please follow that advice.  The "known good" password should be in
> Cleartext-Password.  Putting it into User-Password has been deprecated for
> 15+ years.
>
> > Cannot perform authentication.
> > Failed to authenticate the user.
>
>   Because the user is doing EAP, and you deleted the "eap" module from the
> "authorize" section.
>
>   The default configuration works.  Start with that, and make small
> changes, in order to get what you want.
>
>   If you delete massive amounts of things from the default configuration,
> you are very likely to break something.  As has been done here.
>
>   The EAP module does EAP authentication.  You MUST configure the EAP
> module in order for this to work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Alan DeKok-2
On Mar 22, 2020, at 8:10 PM, Sam T <[hidden email]> wrote:
>
> Thank you for that. Your right. I did not compile this freeradius server,
> so im working with something that has been modded heavily. But i did get in
> there, and add eap to authorize. that got it going. i loaded in eap.conf
> with the right mods too (changed md5 to tls).
> After reviewing the debug output, i think the router was sending the
> password inside "EAP-Message" or somehow mschapv2 is coming in as
> EAP-message? OR mikrotik is trying to pull a client cert from radius. im
> not sure....

  You need to be sure.  You can't configure the server to do unknown kinds of authentication.  And if you don't know what kind of authentication is being used, you don't know how to configure the server.

> this is after putting eap in authorize, and modding the eap.conf to point
> to the certs and md5>tls

  OK, that's a start.

> my desired goal is to get user/pass to work through EAP, with no client
> certs.

  That's not how EAP works.  The end-user system is the one which is choosing the EAP method to use.

  So... what EAP method is that system configured to use?  You need to know this.

> im not sure it is possible, but each reply i get from you, and then
> research more, gets me a few steps closer. i also wrote mikrotik to see if
> their setup is passing the password through EAP message, or their ignoring
> it, and the EAP-radius is designed for cert only, no passwords. but maybe
> you can tell when looking at the cert error below.
>
> Found Auth-Type = EAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Replacing User-Password in config items with Cleartext-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good" !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password.
> !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  As I said... fix that error.  Stop wasting your time doing other things, and do something which you KNOW will fix a problem.
 

>   1. Executing group from file /etc/freeradius/sites-enabled/server01.rad
>   +- entering group authenticate {...}
>
>   [eap] Request found, released from the list
>   [eap] EAP/tls
>   [eap] processing type tls
>   [tls] Authenticate
>   [tls] processing EAP-TLS
>   TLS Length 141
>   [tls] Length Included
>   [tls] eaptls_verify returned 11
>   [tls] <<< TLS 1.0 Handshake [length 0007], Certificate
>   [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
>   TLS Alert write:fatal:handshake failure
>   TLS_accept: error in SSLv3 read client certificate B
>   rlm_eap: SSL error error:140890C7:SSL
>   routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

  That's pretty clear.

  You told FreeRADIUS to ONLY do EAP-TLS.  And the other end won't do only EAP-TLS.

  You're pretty much randomly changing things in the hope that it will "fix" things.  It won't.

  You have to understand what the end-user system is doing.  You have to understand what are the limitations of the EAP type.  You have to understand how to configure FreeRADIUS to authenticate that EAP type.

  Right now, you know none of that.  But you're asking us for help.  Well, our help is that you MUST understand at least the first point.  If you don't, it's impossible for us to help you.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html