SSL Problem???

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

SSL Problem???

DeYoung, Brandon
        Hello all,
        I have been successfully providing 802.1x authentication to my
wireless users for approx six months. This was implemented using
ntlm_auth, PEAP, and MSCHAPV2 (windows XP client) against an Active
Directory backend.

        We had a power spike, which produced multiple simultaneous drive
failures and there is little but corrupted data left on my server. I
managed to retrieve my config files from backup, but had to do a clean
install, recreate SSL certs, etc. I am using freeradius-1.0.0-5 on Suse
9.2 Pro.

I *believe* this snippet from my debug output shows the problem:

----snip-----
  eaptls_process returned 3
    TLS_accept:error in SSLv3 read client certificate A
  rlm_eap_peap: EAPTLS_SUCCESS
-----snip------

This would *seem* to indicate a problem with my certificate generation.
I've deleted and re-created my certs on both the server and the client 4
times now. I've tried giving the certs different names, thinking that
they weren't deleted correctly from WinXP's mmc panel. I'm following
this howto on cert creation:
http://jeremy.austux.net/resources/network/eaptls.html 

I'm pretty sure that this is the same howto I followed last time and it,
"just worked".

I'm only about 95% sure that my certs are the problem. If someone could
at least confirm that, it would help. If anyone can pinpoint my issue
more precisely I would be eternally grateful, as I'm really in a bind
right now.

Any and all suggestions are most welcome.

Thanks much!
~Brandon

*****************************
**Exhaustive info below:*****
*****************************
 
I have the following relevant software installed:
samba-3.0.9-2.3
samba-winbind-3.0.9-2.3
openssl-0.9.7d-25


Here are a couple radtest outputs (note: the user here is local, not AD
and obviously this is by-passing certificates).

houston:/etc/raddb # radtest test testing localhost 43.191.108.31 SECRET
Sending Access-Request of id 135 to 127.0.0.1:1812
        User-Name = "test"
        User-Password = "testing"
        NAS-IP-Address = houston
        NAS-Port = 43
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=135,
length=20
houston:/etc/raddb #

houston:/etc/raddb # radtest test wrongpw localhost 43.191.108.31 SECRET
Sending Access-Request of id 156 to 127.0.0.1:1812
        User-Name = "test"
        User-Password = "wrongpw"
        NAS-IP-Address = houston
        NAS-Port = 43
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=156,
length=20
houston:/etc/raddb #

.....So that works as it should.....

Here's an ntlm_auth output:

houston:/etc/raddb # /usr/bin/ntlm_auth --username=deyoungb --domain=AM
password:
NT_STATUS_OK: Success (0x0)
houston:/etc/raddb #

....that works too, but, Houston...we still have a problem.....

here is a full debug output:


Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=%{Stripped-User-Name:-%{User-Name:-None}} --chall
enge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "This has been sanitized"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/dev/urandom"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
 realm: format = "prefix"
 realm: delimiter = "\"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (ntdomain)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 43.191.108.31:1645, id=36,
length=139
        User-Name = "deyoungb"
        Framed-MTU = 1400
        Called-Station-Id = "0014.6a49.efd0"
        Calling-Station-Id = "000e.3562.498f"
        Service-Type = Login-User
        Message-Authenticator = 0x10d861f115dbb07d2b2c807ed6013e43
        EAP-Message = 0x0202000d016465796f756e6762
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 52618
        NAS-IP-Address = 43.191.108.31
        NAS-Identifier = "SDB5-3-ENG-G"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
    rlm_realm: No '\' in User-Name = "deyoungb", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 0
  rlm_eap: EAP packet type response id 2 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
  modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0

  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 36 to 43.191.108.31:1645
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb476e560b219ce685233a2a3dce96543
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.108.31:1645, id=37,
length=224
        User-Name = "deyoungb"
        Framed-MTU = 1400
        Called-Station-Id = "0014.6a49.efd0"
        Calling-Station-Id = "000e.3562.498f"
        Service-Type = Login-User
        Message-Authenticator = 0xa82fd9208da8cfd5dbed5cc52d11b381
        EAP-Message =
0x0203005019800000004616030100410100003d0301430367671bc00064cbb7578abf6c
264a8d6dc1249e2654915d4bd8b26395cad2
00001600040005000a000900640062000300060013001200630100
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 52618
        State = 0xb476e560b219ce685233a2a3dce96543
        NAS-IP-Address = 43.191.108.31
        NAS-Identifier = "SDB5-3-ENG-G"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
    rlm_realm: No '\' in User-Name = "deyoungb", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 1
  rlm_eap: EAP packet type response id 3 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
  modcall[authorize]: module "files" returns notfound for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello  
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 02c9], Certificate  
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode  
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 37 to 43.191.108.31:1645
        EAP-Message =
0x0104032c1900160301004a0200004603014303657d517ec9f755c72b45c7f0613e7b5a
8b6c14976b236eb6518cfee742e320cf6bc4
9299508610ad4c7bb13a2877938fd7a54e3cdd2d56de739fd81f99dbf500040016030102
c90b0002c50002c20002bf308202bb30820224a003020102020101300d
06092a864886f70d0101040500308196310b3009060355040613025553310b3009060355
040813024341311230100603550407130953616e20446965676f311930
17060355040a1310536f6e7920456c656374726f6e696373310c300a060355040b130349
544d3111300f060355040314084541505f536f6e79312a302806092a86
4886f70d01
        EAP-Message =
0x0901161b6272616e646f6e2e6465796f756e6740616d2e736f6e792e636f6d301e170d
3035303831373135323131375a170d303630
3831373135323131375a308196310b3009060355040613025553310b3009060355040813
024341311230100603550407130953616e20446965676f311930170603
55040a1310536f6e7920456c656374726f6e696373310c300a060355040b130349544d31
11300f060355040314084541505f536f6e79312a302806092a864886f7
0d010901161b6272616e646f6e2e6465796f756e6740616d2e736f6e792e636f6d30819f
300d06092a864886f70d010101050003818d0030818902818100a04276
9934723dc7
        EAP-Message =
0x5e3fd51b19b85c280fbe8df9cdca5d311e2b0418a52ce7382ac77ad00178fa63a553a0
3e39a1fff8e10ff5f41c5a41b20b8ef5600d
6fd72a5392c948a625e5d491338fc7f11c0b14a765d8f80412f37fcf3f0d93987882f3d4
588035c9a4ed9e9724e5c06c54bc02ccb412e5b4f688ce6feb323505f3
7f550203010001a317301530130603551d25040c300a06082b06010505070301300d0609
2a864886f70d0101040500038181004928c9b15407cb400ed3ad5b1b5e
6b0413ceb246e0023bb07c36575945118bee439e4b3b72554e2770e2a1500dbae20fc603
eb394c695b961bff8813b2369e64fecc9b1742a934eeda706b3b87d836
325555f1cb
        EAP-Message =
0x25399be1adcd2944c15b78169fbfbb9b15269e94c8882dc7b9e3e57fe36158f9445904
18b935c779a4d19d5416030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3233e8ac062396376b95baab46ff3932
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.108.31:1645, id=38,
length=150
        User-Name = "deyoungb"
        Framed-MTU = 1400
        Called-Station-Id = "0014.6a49.efd0"
        Calling-Station-Id = "000e.3562.498f"
        Service-Type = Login-User
        Message-Authenticator = 0xcd50d811b2bd62c6131965d2a98ec598
        EAP-Message = 0x020400061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 52618
        State = 0x3233e8ac062396376b95baab46ff3932
        NAS-IP-Address = 43.191.108.31
        NAS-Identifier = "SDB5-3-ENG-G"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
    rlm_realm: No '\' in User-Name = "deyoungb", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
  modcall[authorize]: module "files" returns notfound for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  eaptls_verify returned 3
  eaptls_process returned 3
    TLS_accept:error in SSLv3 read client certificate A
  rlm_eap_peap: EAPTLS_SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 38 to 43.191.108.31:1645
        EAP-Message = 0x010500061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2a59d5433efbf6567da0c6b9c10eab2e
Finished request 2
Going to the next request
Waking up in 6 seconds.


Here is another snippet from debug output, when a local user tries to
auth from XP, MSCHAP client.

-----------snip--------------
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.108.31:1645, id=34,
length=146
        User-Name = "test"
        Framed-MTU = 1400
        Called-Station-Id = "0014.6a49.efd0"
        Calling-Station-Id = "000e.3562.498f"
        Service-Type = Login-User
        Message-Authenticator = 0xdc3a1578cac294fb244a5592d95b9a97
        EAP-Message = 0x020400061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 52567
        State = 0x3233e8ac06239637866e7bccf095f26e
        NAS-IP-Address = 43.191.108.31
        NAS-Identifier = "SDB5-3-ENG-G"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
    rlm_realm: No '\' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched test at 93
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  eaptls_verify returned 3
  eaptls_process returned 3
    TLS_accept:error in SSLv3 read client certificate A
  rlm_eap_peap: EAPTLS_SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 34 to 43.191.108.31:1645
        EAP-Message = 0x010500061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2a59d5433efbf6562cf7f44fe38cdae4
Finished request 2
Going to the next request
Waking up in 6 seconds..
---------snip----------------------


Here is a sanitized version of eap.conf (include file in radiusd.conf)
----------snip------------------

#       $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $

        eap {
                default_eap_type = peap
#               default_eap_type = md5

                timer_expire     = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                md5 {
                }

                leap {
                }

                gtc {
                        #  The default challenge, which many clients
                        #  ignore..
                        #challenge = "Password: "

                        auth_type = PAP
                }

                ## EAP-TLS
                #
                #  To generate ctest certificates, run the script
                #
                #       ../scripts/certs.sh
                #
                #  The documents on http://www.freeradius.org/doc
                #  are old, but may be helpful.
                #
                #  See also:
                #
                #
http://www.dslreports.com/forum/remark,9286052~mode=flat
                #
                tls {
                        private_key_password = "This has been sanitized"
                        private_key_file =
${raddbdir}/certs/cert-srv.pem

                        certificate_file =
${raddbdir}/certs/cert-srv.pem

                        #  Trusted Root CA list
                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem

                        dh_file = ${raddbdir}/certs/dh
                        random_file = /dev/urandom

                        fragment_size = 1024

                        include_length = yes

                #       check_crl = yes

               #       check_cert_cn = %{User-Name}
                }


                #ttls {

                #       default_eap_type = md5

                #       copy_request_to_tunnel = no

                #       use_tunneled_reply = no                
                           
                #}


                peap {
                        default_eap_type = mschapv2
                }

                mschapv2 {
                }
        }

------------------snip-------------------------------------------

Here is the full radiusd.conf (coments removed for brevity)

-----------------snip--------------------------------------

##
## radiusd.conf -- FreeRADIUS server configuration file.
##
##      http://www.freeradius.org/
##      $Id: radiusd.conf.in,v 1.188 2004/05/13 20:10:19 pnixon Exp $
##

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/radiusd.pid

user = radiusd
group = radiusd

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

bind_address = *
#bind_address = 43.191.104.39

#  port: Allows you to bind FreeRADIUS to a specific port.
#
#  The default port that most NAS boxes use is 1645, which is
historical.
#  RFC 2138 defines 1812 to be the new port.  Many new servers and
#  NAS boxes use 1812, which can create interoperability problems.
#
#  The port is defined here to be 0 so that the server will pick up
#  the machine's local configuration for the radius port, as defined
#  in /etc/services.
#

port = 0


#  If you comment out the "bind_address" and "port" configuration
entries,
#  then it becomes possible to make the server accept only accounting,
#  or authentication packets.  Previously, it always listened for both
#  types of packets, and it was impossible to make it listen for only
#  one type of packet.
#
#listen {
        #  IP address on which to listen.
        #  Allowed values are:
        #       dotted quad (1.2.3.4)
        #       hostname    (radius.example.com)
        #       wildcard    (*)
#       ipaddr = *

        #  Port on which to listen.
        #  Allowed values are:
        #       integer port number (1812)
        #       0 means "use /etc/services for the proper port"
#       port = 0

        #  Type of packets to listen for.
        #  Allowed values are:
        #       auth    listen for authentication packets
        #       acct    listen for accounting packets
        #
#       type = auth
#}

hostname_lookups = no


allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log_stripped_names = no

log_auth = no

log_auth_badpass = no
log_auth_goodpass = no

usercollide = no

# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no

# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

security {

        max_attributes = 200

        reject_delay = 1

        status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf


$INCLUDE  ${confdir}/clients.conf

snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {

        start_servers = 5

        max_servers = 32

        min_spare_servers = 3
        max_spare_servers = 10

        max_requests_per_server = 0
}


modules {

        pap {
                encryption_scheme = crypt
        }

        chap {
                authtype = CHAP
        }

        pam {
                pam_auth = radiusd
        }

        unix {
                cache = no

                cache_reload = 600

                radwtmp = ${logdir}/radwtmp
        }


$INCLUDE ${confdir}/eap.conf

        mschap {
               
                authtype = MS-CHAP
               
                #use_mppe = no

                #require_encryption = yes

                #require_strong = yes

                with_ntdomain_hack = no

                # Be VERY careful when editing the following line!
                #
####ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Cha
llenge:-00} --nt-response=%{mschap:NT-Response:-00}"

####ntlm_auth = "/usr/bin/ntlm_auth --domain=AM
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challeng
e:-00} --nt-response=%{mschap:NT-Response:-00}"

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challe
nge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


        }


        ldap {
                server = "ldap.your.domain"

                # identity = "cn=admin,o=My Org,c=UA"
                # password = mypass
                basedn = "o=My Org,c=UA"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                # base_filter = "(objectclass=radiusprofile)"

connections
                start_tls = no

                # tls_cacertfile        = /path/to/cacert.pem
                # tls_cacertdir         = /path/to/ca/dir/
                # tls_certfile          = /path/to/radius.crt
                # tls_keyfile           = /path/to/radius.key
                # tls_randfile          = /path/to/rnd
                # tls_require_cert      = "demand"

                # default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
                # profile_attribute = "radiusProfileDn"
                access_attr = "dialupAccess"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                #
                # NOTICE: The password_header directive is NOT case
insensitive
pull
                # password_attribute = userPassword
                # groupname_attribute = cn
                # groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueName
s)(uniquemember=%{Ldap-UserDn})))"
                # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes
                # access_attr_used_for_allow = yes
        }

        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
#
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
#
        realm realmpercent {
                format = suffix
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }      

                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }


        checkval {
                item-name = Calling-Station-Id

                check-name = Calling-Station-Id

                data-type = string
        }
       

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints

                with_ascend_hack = no
                ascend_channels_per_line = 23

                with_ntdomain_hack = no

                with_specialix_jetstream_hack = no

                with_cisco_vsa_hack = no
        }


        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users

                compat = no
        }


        detail {

                detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

                detailperm = 0600
        }


        # detail auth_log {
                # detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d

        # }

        # detail reply_log {
        # }

        # detail pre_proxy_log {
                # detailfile =
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d

                # detailperm = 0600
        # }

        # detail post_proxy_log {
                # detailfile =
${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d

                # detailperm = 0600
        # }


        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
        }


        $INCLUDE  ${confdir}/sql.conf


        radutmp {

                filename = ${logdir}/radutmp

                username = %{User-Name}

                case_sensitive = yes

                check_with_nas = yes

                perm = 0600

                callerid = "yes"
        }


        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }

        attr_filter {
                attrsfile = ${confdir}/attrs
        }


        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }


        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }

        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

        expr {
        }

        digest {
        }

        exec {
                wait = yes
                input_pairs = request
        }

        exec echo {

                wait = yes

                program = "/bin/echo %{User-Name}"

                input_pairs = request

                output_pairs = reply

        }

        ippool main_pool {

                range-start = 192.168.1.1
                range-stop = 192.168.3.254

                netmask = 255.255.255.0

                cache-size = 800

                session-db = ${raddbdir}/db.ippool

                ip-index = ${raddbdir}/db.ipindex

                override = no

                maximum-timeout = 0
        }

}

instantiate {

        exec

        expr

}

authorize {

        preprocess

#       auth_log

#       attr_filter

        chap

        mschap

#       digest

#       IPASS

        suffix

        ntdomain

        eap

        files


#       sql


#       etc_smbpasswd

#       ldap

#       daily

#       checkval
}


#  Authentication.

authenticate {

        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }

#       digest

#       pam

        unix

#       Auth-Type LDAP {
#               ldap
#       }


        eap
}


#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
        preprocess

        acct_unique

#       IPASS
        suffix
#       ntdomain

        files
}

#
#  Accounting.  Log the accounting data.
#
accounting {

        detail
#       daily

        unix

        radutmp
#       sradutmp

#       main_pool

#       sql

#       pgsql-voip

}


#  Session database, used for checking Simultaneous-Use. Either the
radutmp

session {
        radutmp

#       sql
}


#  Post-Authentication

post-auth {
        #  Get an address from the IP Pool.
#       main_pool

#       reply_log

#       sql

#       Post-Auth-Type REJECT {
#               insert-module-name-here
#       }

}

pre-proxy {
#       attr_rewrite

#       pre_proxy_log
}

post-proxy {
        #

#       post_proxy_log

#       attr_rewrite

#       attr_filter

        eap
}

--------------------snip--------------------------------------------



Here'a my users file:


--------------------snip-----------------

#       http://www.freeradius.org/rfc/attributes.html

#lameuser       Auth-Type := Reject
#               Reply-Message = "Your account has been disabled."

#DEFAULT        Group == "disabled", Auth-Type := Reject
#               Reply-Message = "Your account has been disabled."

#test   Auth-Type := MS-CHAP, User-Password == "testing"
#       Service-Type = Framed-User,
#       Framed-Protocol = PPP,
#       Framed-IP-Address = 43.191.0.0/16,
#       Framed-IP-Netmask = 255.255.0.0,
#       Framed-Routing = Broadcast-Listen,
#       Framed-Filter-Id = "std.ppp",
#       Framed-MTU = 1500,
#       Framed-Compression = Van-Jacobsen-TCP-IP

#test Auth-Type = Local, Password = "wrongpw"
#test User-Password == "testing", MS-CHAP-Use-NTLM-Auth = No

test    User-Password == "testing", MS-Chap-Use-NTLM-Auth := 0


DEFAULT Service-Type == Framed-User
        Framed-IP-Address = 255.255.255.254,
        Framed-MTU = 576,
        Service-Type = Framed-User,
        Fall-Through = Yes

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP



# On no match, the user is denied access.

---------snip---------------------------------

You are truly noble for reading this far.

Thanks!
~Brandon



Brandon S. DeYoung
Network Administration Supervisor
Sony Technology Center, San Diego
[hidden email]




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: SSL Problem???

Alan DeKok
"DeYoung, Brandon" <[hidden email]> wrote:
> I *believe* this snippet from my debug output shows the problem:
>
> ----snip-----
>   eaptls_process returned 3
>     TLS_accept:error in SSLv3 read client certificate A
>   rlm_eap_peap: EAPTLS_SUCCESS
> -----snip------
>
> This would *seem* to indicate a problem with my certificate generation.

  No, because it returns success.  SSL is looking for a client
certificate, and PEAP doesn't need one.  SSL is then "helpful", and
prints out error messages.

  The rest of your debug log shows that the client just stops talking
to the server.  Odds are they're XP SP2 boxes, where MS broke EAP.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: SSL Problem???

Jamie Crawford
In reply to this post by DeYoung, Brandon
In the statement "Odds are they're XP SP2 boxes, where MS broke EAP" what exactly is broken.  Will XP SP2 not work with PEAP?

thanks,
jamie



Jamie Crawford, MCSE RHCT Network Analyst I
Information Services
Central Missouri State University
Warrensburg, MO 64093
Phone:6605434357
Email:[hidden email]

>>> [hidden email] 08/17/05 2:10 PM >>>
"DeYoung, Brandon" <[hidden email]> wrote:
> I *believe* this snippet from my debug output shows the problem:
>
> ----snip-----
>   eaptls_process returned 3
>     TLS_accept:error in SSLv3 read client certificate A
>   rlm_eap_peap: EAPTLS_SUCCESS
> -----snip------
>
> This would *seem* to indicate a problem with my certificate generation.

  No, because it returns success.  SSL is looking for a client
certificate, and PEAP doesn't need one.  SSL is then "helpful", and
prints out error messages.

  The rest of your debug log shows that the client just stops talking
to the server.  Odds are they're XP SP2 boxes, where MS broke EAP.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: SSL Problem???

Alan DeKok
"Jamie Crawford" <[hidden email]> wrote:
> In the statement "Odds are they're XP SP2 boxes, where MS broke EAP"
> what exactly is broken.  Will XP SP2 not work with PEAP?

  It won't.

  This was discussed on the list last week.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: SSL Problem???

DeYoung, Brandon
In reply to this post by DeYoung, Brandon
Thanks for the response Alan,
My clients are WinXP SP2 boxes. I have several hundred of these which
had been working fine for the last 6 months...until my server blew up.
In fact I had more problems getting this setup to work with SP1 and made
it a policy for everyone to put SP2 on before I would configure wireless
for them.

Any other thoughts/workarounds?
~Brandon



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of
Jamie Crawford
Sent: Wednesday, August 17, 2005 12:22 PM
To: [hidden email]; [hidden email]
Subject: Re: SSL Problem???

In the statement "Odds are they're XP SP2 boxes, where MS broke EAP"
what exactly is broken.  Will XP SP2 not work with PEAP?

thanks,
jamie



Jamie Crawford, MCSE RHCT Network Analyst I
Information Services
Central Missouri State University
Warrensburg, MO 64093
Phone:6605434357
Email:[hidden email]

>>> [hidden email] 08/17/05 2:10 PM >>>
"DeYoung, Brandon" <[hidden email]> wrote:
> I *believe* this snippet from my debug output shows the problem:
>
> ----snip-----
>   eaptls_process returned 3
>     TLS_accept:error in SSLv3 read client certificate A
>   rlm_eap_peap: EAPTLS_SUCCESS
> -----snip------
>
> This would *seem* to indicate a problem with my certificate
generation.

  No, because it returns success.  SSL is looking for a client
certificate, and PEAP doesn't need one.  SSL is then "helpful", and
prints out error messages.

  The rest of your debug log shows that the client just stops talking
to the server.  Odds are they're XP SP2 boxes, where MS broke EAP.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: SSL Problem???

DeYoung, Brandon
In reply to this post by DeYoung, Brandon
I manged to fix this. Something was whackinated in my certificate
generation process. Followed howto here:
http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html 

And all works well, even with XP SP2.
~Brandon


-----Original Message-----
From: DeYoung, Brandon
Sent: Wednesday, August 17, 2005 12:38 PM
To: 'FreeRadius users mailing list'
Subject: RE: SSL Problem???

Thanks for the response Alan,
My clients are WinXP SP2 boxes. I have several hundred of these which
had been working fine for the last 6 months...until my server blew up.
In fact I had more problems getting this setup to work with SP1 and made
it a policy for everyone to put SP2 on before I would configure wireless
for them.

Any other thoughts/workarounds?
~Brandon



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of
Jamie Crawford
Sent: Wednesday, August 17, 2005 12:22 PM
To: [hidden email]; [hidden email]
Subject: Re: SSL Problem???

In the statement "Odds are they're XP SP2 boxes, where MS broke EAP"
what exactly is broken.  Will XP SP2 not work with PEAP?

thanks,
jamie



Jamie Crawford, MCSE RHCT Network Analyst I
Information Services
Central Missouri State University
Warrensburg, MO 64093
Phone:6605434357
Email:[hidden email]

>>> [hidden email] 08/17/05 2:10 PM >>>
"DeYoung, Brandon" <[hidden email]> wrote:
> I *believe* this snippet from my debug output shows the problem:
>
> ----snip-----
>   eaptls_process returned 3
>     TLS_accept:error in SSLv3 read client certificate A
>   rlm_eap_peap: EAPTLS_SUCCESS
> -----snip------
>
> This would *seem* to indicate a problem with my certificate
generation.

  No, because it returns success.  SSL is looking for a client
certificate, and PEAP doesn't need one.  SSL is then "helpful", and
prints out error messages.

  The rest of your debug log shows that the client just stops talking
to the server.  Odds are they're XP SP2 boxes, where MS broke EAP.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html