Page 1 of 1

Freeradius 2x and Mac wirelless Authentication Big Headache

Posted: Sat Aug 14, 2010 1:32 pm
by binhorp
Hello everyone!

I'm having a problem to authenticate mac wireless freeradius mikrotik in February on "1171 was quiet"

5.5 use debian lenny postgres and php can authenticate hotspot, PPPoE, DHCP, Winbox, ssh etc ... mac hard but wirelless ta

I tried parameters: "User-Passord" of this in the log

Sat Aug 14 00:55:02 2010: Auth: Login incorrect: [00:05:9 E: 8B: 11:35 / 00:05:9 E: 8B: 11:35] (from client server port 0 cli 00-05 -9E-8B-11-35)

attribute "Password"

Sat Aug 14 00:56:09 2010: Auth: Login incorrect (rlm_pap: empty password supplied): [00:05:9 E: 89:4 B: 09 /] (from client server port 0 cli 00-05-9E-89 -4B-09)

attribute "Cleartext-Password"

Sat Aug 14 00:56:10 2010: Auth: Login incorrect: [00:05:9 E: 83: BBA /] (from client server port 0 cli 00-05-9E-83-BB-DA)



I wonder if anyone ever had this problem and could give me a light as I turned the net 10 times and I find no solution.

Below one of my debug freeradius

Thank you for your attention!



Starting - reading configuration files ...

including configuration file /etc/freeradius/radiusd.conf

including configuration file /etc/freeradius/proxy.conf

including configuration file /etc/freeradius/clients.conf

including configuration file /etc/freeradius/snmp.conf

including configuration file /etc/freeradius/eap.conf

including configuration file /etc/freeradius/sql.conf

including configuration file /etc/freeradius/sql/postgresql/dialup.conf

including configuration file /etc/freeradius/sql/postgresql/counter.conf

including configuration file /etc/freeradius/policy.conf

including files in directory /etc/freeradius/sites-enabled/

including configuration file /etc/freeradius/sites-enabled/inner-tunnel

including configuration file /etc/freeradius/sites-enabled/default

including dictionary file /etc/freeradius/dictionary

main {

prefix = "/usr"

localstatedir = "/var"

logdir = "/var/log/freeradius"

libdir = "/usr/lib/freeradius"

radacctdir = "/var/log/freeradius/radacct"

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

allow_core_dumps = yes

pidfile = "/var/run/freeradius/freeradius.pid"

user = "freerad"

group = "freerad"

checkrad = "/usr/sbin/checkrad"

debug_level = 0

proxy_requests = no

security {

max_attributes = 200

reject_delay = 1

status_server = no

}

}

client 187.28.xxx.x {

require_message_authenticator = no

secret = "*******"

shortname = "SERVIDOR"

nastype = "other"

}

client 187.28.xxx.x {

require_message_authenticator = no

secret = "teste"

shortname = "SERVIDOR_VIRTUAL_MIKROTIK_BINHO"

nastype = "other"

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

retry_delay = 5

retry_count = 3

default_fallback = no

dead_time = 120

wake_all_if_all_dead = no

}

home_server localhost {

ipaddr = 127.0.0.1

port = 1812

type = "auth"

secret = "testing123"

response_window = 20

max_outstanding = 65536

zombie_period = 40

status_check = "status-server"

ping_check = "none"

ping_interval = 30

check_interval = 30

num_answers_to_alive = 3

num_pings_to_alive = 3

revive_interval = 120

status_check_timeout = 4

}

home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

}

realm example.com {

auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating exec

exec {

wait = yes

input_pairs = "request"

shell_escape = yes

}

Module: Linked to module rlm_expr

Module: Instantiating expr

Module: Linked to module rlm_expiration

Module: Instantiating expiration

expiration {

reply-message = "Password Has Expired "

}

Module: Linked to module rlm_logintime

Module: Instantiating logintime

logintime {

reply-message = "You are calling outside your allowed timespan "

minimum-timeout = 60

}

}

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

modules {

Module: Checking authenticate {...} for more modules to load

Module: Linked to module rlm_pap

Module: Instantiating pap

pap {

encryption_scheme = "auto"

auto_header = no

}

Module: Linked to module rlm_chap

Module: Instantiating chap

Module: Linked to module rlm_mschap

Module: Instantiating mschap

mschap {

use_mppe = yes

require_encryption = no

require_strong = no

with_ntdomain_hack = no

}

Module: Linked to module rlm_unix

Module: Instantiating unix

unix {

radwtmp = "/var/log/freeradius/radwtmp"

}

Module: Linked to module rlm_eap

Module: Instantiating eap

eap {

default_eap_type = "md5"

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

}

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

gtc {

challenge = "Password: "

auth_type = "PAP"

}

rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.

rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.

rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

mschapv2 {

with_ntdomain_hack = no

}

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_realm

Module: Instantiating suffix

realm suffix {

format = "suffix"

delimiter = "@"

ignore_default = no

ignore_null = no

}

Module: Linked to module rlm_files

Module: Instantiating files

files {

usersfile = "/etc/freeradius/users"

acctusersfile = "/etc/freeradius/acct_users"

compat = "no"

}

Module: Checking session {...} for more modules to load

Module: Linked to module rlm_radutmp

Module: Instantiating radutmp

radutmp {

filename = "/var/log/freeradius/radutmp"

username = "%{User-Name}"

case_sensitive = yes

check_with_nas = yes

perm = 384

callerid = yes

}

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

Module: Linked to module rlm_attr_filter

Module: Instantiating attr_filter.access_reject

attr_filter attr_filter.access_reject {

attrsfile = "/etc/freeradius/attrs.access_reject"

key = "%{User-Name}"

}

}

}

server {

modules {

Module: Checking authenticate {...} for more modules to load

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_preprocess

Module: Instantiating preprocess

preprocess {

huntgroups = "/etc/freeradius/huntgroups"

hints = "/etc/freeradius/hints"

with_ascend_hack = no

ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no

with_alvarion_vsa_hack = no

}

Module: Linked to module rlm_sql

Module: Instantiating sql

sql {

driver = "rlm_sql_postgresql"

server = "localhost"

port = ""

login = "*******"

password = "*******"

radius_db = "sis-prov"

read_groups = yes

sqltrace = yes

sqltracefile = "/var/log/freeradius/sqltrace.sql"

readclients = yes

deletestalesessions = yes

num_sql_socks = 5

sql_user_name = "%{User-Name}"

default_user_profile = ""

connect_failure_retry_delay = 60

simul_count_query = ""

simul_verify_query = ""

postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())"

safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

}

rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked

rlm_sql (sql): Attempting to connect to admin@localhost:/sagu

rlm_sql (sql): starting 0

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0

rlm_sql (sql): Connected new DB handle, #0

rlm_sql (sql): starting 1

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1

rlm_sql (sql): Connected new DB handle, #1

rlm_sql (sql): starting 2

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #2

rlm_sql (sql): Connected new DB handle, #2

rlm_sql (sql): starting 3

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3

rlm_sql (sql): Connected new DB handle, #3

rlm_sql (sql): starting 4

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4

rlm_sql (sql): Connected new DB handle, #4

rlm_sql (sql): Processing generate_sql_clients

rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas

rlm_sql (sql): Reserving sql socket id: 4

rlm_sql_postgresql: query: SELECT id, nasname, shortname, type, secret FROM nas

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 5

rlm_sql (sql): Released sql socket id: 4

Module: Checking preacct {...} for more modules to load

Module: Linked to module rlm_acct_unique

Module: Instantiating acct_unique

acct_unique {

key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

}

Module: Checking accounting {...} for more modules to load

Module: Instantiating attr_filter.accounting_response

attr_filter attr_filter.accounting_response {

attrsfile = "/etc/freeradius/attrs.accounting_response"

key = "%{User-Name}"

}

Module: Checking session {...} for more modules to load

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

}

}

radiusd: #### Opening IP addresses and Ports ####

listen {

type = "auth"

ipaddr = *

port = 0

Re: Freeradius 2x and Mac wirelless Authentication Big Heada

Posted: Sat Aug 14, 2010 1:51 pm
by SurferTim
I do not see any authentication attempt in the debug output. Skip all the radius startup responses, and post the results of a login transaction from the router. You might want to post any router log entries about the transaction also.

Maybe your startup post was incomplete, but as I recall, "radiusd -X" finishes startup with something like:
Waiting for input

Re: Freeradius 2x and Mac wirelless Authentication Big Heada

Posted: Sat Aug 14, 2010 2:34 pm
by binhorp
Thank SurferTim
Below is part of an attempt to debug authentication
Thank you for your attention!

rad_recv: Access-Request packet from host 187.28.126.3 port 39327, id=92, length=147
Service-Type = Framed-User
NAS-Port-Id = "wlan3"
User-Name = "00:05:9E:83:C9:AF"
Calling-Station-Id = "00-05-9E-83-C9-AF"
Called-Station-Id = "00-02-6F-30-36-BD:Speed_BP1"
User-Password = ""
NAS-Identifier = "SERVIDOR_BOA_PASSAGEM"
NAS-IP-Address = 187.28.126.3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "00:05:9E:83:C9:AF", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> 00:05:9E:83:C9:AF
rlm_sql (sql): sql_set_user escaped user --> '00:05:9E:83:C9:AF'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '00:05:9E:83:C9:AF' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '00:05:9E:83:C9:AF' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM usergroup WHERE UserName='00:05:9E:83:C9:AF' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='00:05:9E:83:C9:AF' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 1
rlm_sql (sql): User 00:05:9E:83:C9:AF not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [00:05:9E:83:C9:AF/] (from client SERVIDOR_BOA_PASSAGEM port 0 cli 00-05-9E-83-C9-AF)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> 00:05:9E:83:C9:AF
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 30 for 1 seconds
Going to the next request
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 187.28.126.3 port 38425, id=90, length=147
Waiting to send Access-Reject to client SERVIDOR_BOA_PASSAGEM port 38425 - ID: 90
Waking up in 0.1 seconds.
Sending delayed reject for request 27
Sending Access-Reject of id 89 to 187.28.126.3 port 58907
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 187.28.126.3 port 52102, id=91, length=147
Waiting to send Access-Reject to client SERVIDOR_BOA_PASSAGEM port 52102 - ID: 91
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 187.28.126.3 port 39327, id=92, length=147
Waiting to send Access-Reject to client SERVIDOR_BOA_PASSAGEM port 39327 - ID: 92
Waking up in 0.1 seconds.

Re: Freeradius 2x and Mac wirelless Authentication Big Heada

Posted: Sat Aug 14, 2010 2:43 pm
by SurferTim
Here is the important part. Looks like it may be the default Auth-Type in your radius setup.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Check your radiusd.conf file in the 'authenticate' section.

ADD: Are you certain this user is in your SQL database? I just saw this above the Auth-Type message.
rlm_sql (sql): User 00:05:9E:83:C9:AF not found

Re: Freeradius 2x and Mac wirelless Authentication Big Heada

Posted: Sat Aug 14, 2010 10:31 pm
by binhorp
My config is soos
Ek het probeer om verskeie conf en tot nou toe kon ek nie maak dit werk

authorize {


preprocess
pap
chap
mschap

suffix

eap {
ok = return
}

unix

files
sql
expiration
logintime

}

authenticate {

Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

unix

eap
}

Re: Freeradius 2x and Mac wirelless Authentication Big Heada

Posted: Sun Aug 15, 2010 12:16 am
by SurferTim
The radius debug shows the user 00:05:9E:83:C9:AF not found. Is this user in your database?