Radius is mostly working apart from the final stage:
I went back and visited each configuration file
more info below
radtest and radeapclient passed
===========================================================
radeapclient
===========================================================
( echo "User-Name = \"steve\""; \
echo "Cleartext-Password = \"testing\""; \
echo "EAP-Code = Response"; \
echo "EAP-Id = 210"; \
echo "EAP-Type-Identity = \"steve\""; \
echo "Message-Authenticator = 0x00"; ) | \
radeapclient -x 127.0.0.1 auth testing123
[root@localhost ~]# ( echo "User-Name = \"steve\""; \
> echo "Cleartext-Password = \"testing\""; \
> echo "EAP-Code = Response"; \
> echo "EAP-Id = 210"; \
> echo "EAP-Type-Identity = \"steve\""; \
> echo "Message-Authenticator = 0x00"; ) | \
> radeapclient -x 127.0.0.1 auth testing123
Sending Access-Request packet to host 127.0.0.1 port 1812, id=248, length=0
User-Name = "steve"
Cleartext-Password = "testing"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "steve"
Message-Authenticator = 0x00
EAP-Message = 0x02d2000a017374657665
rad_recv: Access-Request packet from host 127.0.0.1 port 41640, id=248,
length=57
User-Name = "steve"
Message-Authenticator = 0x4fc4db29fcb26901ab1ba874df49276d
EAP-Message = 0x02d2000a017374657665
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 210 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry steve at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 248 to 127.0.0.1 port 41640
EAP-Message = 0x01d30016041045d96dbd6f315e0bf94fb03e18fdb52c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=248,
length=80
EAP-Message = 0x01d30016041045d96dbd6f315e0bf94fb03e18fdb52c
Message-Authenticator = 0x23d8989d4cd311e775fb944cae8bd9c3
State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x1045d96dbd6f315e0bf94fb03e18fdb52c
Sending Access-Request packet to host 127.0.0.1 port 1812, id=249, length=57
User-Name = "steve"
Cleartext-Password = "testing"
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Type-MD5 = 0x106fd2692b305d022523887b8df5d1c611
State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
EAP-Message = 0x02d3001604106fd2692b305d022523887b8df5d1c611
rad_recv: Access-Request packet from host 127.0.0.1 port 41640, id=249,
length=87
User-Name = "steve"
Message-Authenticator = 0x32c12f3847342e17edf14ba27dc257fa
State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
EAP-Message = 0x02d3001604106fd2692b305d022523887b8df5d1c611
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 211 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry steve at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
++[reply] returns noop
Sending Access-Accept of id 249 to 127.0.0.1 port 41640
EAP-Message = 0x03d30004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "steve"
Chargeable-User-Identity = "moonshot"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Received Access-Accept packet from host 127.0.0.1 port 1812, id=249,
length=61
EAP-Message = 0x03d30004
Message-Authenticator = 0xd2955a116e5931bcdcad9f7872e039d0
User-Name = "steve"
Chargeable-User-Identity = "moonshot"
EAP-Id = 211
EAP-Code = Success
[root@localhost ~]# Cleaning up request 4 ID 248 with timestamp +3580
Cleaning up request 5 ID 249 with timestamp +3580
Ready to process requests.
==========================================================================
This is where it fails:
[steve@localhost ~]$ /opt/moonshot/bin/gss-client -mech "{1 3 6 1 4 1
5322 22 1 18}" 127.0.0.1 host@localhost bar
Sending init_sec_context token (size=38)...continue needed...
CTRL-EVENT-EAP-STARTED EAP authentication started
Sending init_sec_context token (size=30)...continue needed...
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
Sending init_sec_context token (size=46)...continue needed...
GSS-API error initializing context: Invalid token was supplied
GSS-API error initializing context: Missing required inner token
Probably a RADIUS configuration error:
Go back and check each file:
[steve@localhost ~]$ cat /home/steve/.gss_eap_id
steve testing
[steve@localhost ~]$
============================================================
/etc/raddb/users:
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
steve Cleartext-Password := "testing"
============================================================
/etc/raddb/sites-enabled/inner-tunnel
update outer.reply {
User-Name = "%{request:User-Name}"
}
===========================================================
/etc/raddb/eap.conf
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = md5
============================================================
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
=============================================================
[root@localhost ~]# cat /etc/radsec.conf
dictionary = "/etc/raddb/dictionary"
realm gss-eap {
type = "UDP"
timeout = 5
retries = 3
server {
hostname = "127.0.0.1"
service = "1812"
secret = "testing123"
}
}
=============================================================
typo ??? ~/.gsseap_id ???
[steve@localhost ~]$ cat .gss_eap_id
steve testing
=============================================================
Typo? "/etc/radsc.conf"
=============================================================
[root@localhost ~]# cat /etc/shibboleth/attribute-map.xml
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp
urn:x-radius:89" id="local-login-user"/>
</Attributes>
=============================================================
[root@localhost ~]# cat /etc/shibboleth/shibboleth2.xml | grep -n -C 5
GSSAPI
85-
86- <!-- Map to extract attributes from SAML assertions. -->
87- <AttributeExtractor type="XML" validate="true"
path="attribute-map.xml"/>
88-
89- <!-- WARNING: The order of statements is important --->
90: <AttributeExtractor type="GSSAPI" validate="true"
path="attribute-map.xml"/>
91-
92- <!-- Use a SAML query if no attributes are supplied during
SSO. -->
93- <AttributeResolver type="Query" subjectMatch="true"/>
94-
95- <!-- Default filtering policy for recognized attributes, lets
other data pass. -->
=============================================================
[root@localhost ~]# cat /etc/gss/mech
#
# Sample mechanism glue configuration for EAP GSS mechanism.
#
# Any encryption type supported by Kerberos can be defined as the
# last element of the OID arc.
#
eap-aes128 1.3.6.1.4.1.5322.22.1.17 mech_eap.so
eap-aes256 1.3.6.1.4.1.5322.22.1.18 mech_eap.so
==============================================================
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] WARNING NAS did not set User-Name. Setting it locally from EAP
Identity
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 50019
EAP-Message = 0x010100160410830cb9b9db0e99f7b53564b0cf060222
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d5c1be50d4c5c038fc13647aff8d5a
Finished request 0.
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] Broken NAS did not set User-Name, setting from EAP Identity
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
============================================================
[root@localhost ~]# radtest steve testing 127.0.0.1 1812 testing123
Sending Access-Request of id 130 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=130,
length=30
Chargeable-User-Identity = "moonshot"
==========================================================
rad_recv: Access-Request packet from host 127.0.0.1 port 44236, id=130,
length=57
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry steve at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
++[reply] returns noop
Sending Access-Accept of id 130 to 127.0.0.1 port 44236
Chargeable-User-Identity = "moonshot"
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 130 with timestamp +1739
Ready to process requests.
==========================================================
More detailed:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
Threads: total/active/spare threads = 5/0/5
Waking up in 0.9 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
[<thread>] # Executing section authorize from file
/etc/raddb/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] WARNING NAS did not set User-Name. Setting it locally from EAP
Identity
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Finished request 0.
Going to the next request
Thread 5 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
[<thread>] # Executing section authorize from file
/etc/raddb/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] Broken NAS did not set User-Name, setting from EAP Identity
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
expand: BAA: bad password received -> BAA: bad password received
Login incorrect: [@/<via Auth-Type = EAP>] (from client localhost port
0) BAA: bad password received
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> @
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Thread 4 waiting to be assigned a request
Sending delayed reject for request 1
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +27
Waking up in 1.0 seconds.
Cleaning up request 1 ID 2 with timestamp +27
Ready to process requests.
[root@localhost ~]#
|
