Another case of the wiki eating formatting - .gss_eap_id should be on two lines, first line user, second line password.
Regards,
Adam Bishop
JANET(UK)
On 10 Nov 2011, at 00:13, Brian Abram wrote:
> JANET(UK) Sophos Appliance: Potentially dangerous attachments were identified in
> this message. Only open the attachment if it is from a known trusted source.
>
>
> Radius is mostly working apart from the final stage:
>
> I went back and visited each configuration file
>
> more info below
>
> radtest and radeapclient passed
>
> ===========================================================
> radeapclient
> ===========================================================
> ( echo "User-Name = \"steve\""; \
> echo "Cleartext-Password = \"testing\""; \
> echo "EAP-Code = Response"; \
> echo "EAP-Id = 210"; \
> echo "EAP-Type-Identity = \"steve\""; \
> echo "Message-Authenticator = 0x00"; ) | \
> radeapclient -x 127.0.0.1 auth testing123
>
>
> [root@localhost ~]# ( echo "User-Name = \"steve\""; \
> > echo "Cleartext-Password = \"testing\""; \
> > echo "EAP-Code = Response"; \
> > echo "EAP-Id = 210"; \
> > echo "EAP-Type-Identity = \"steve\""; \
> > echo "Message-Authenticator = 0x00"; ) | \
> > radeapclient -x 127.0.0.1 auth testing123
> Sending Access-Request packet to host 127.0.0.1 port 1812, id=248, length=0
> User-Name = "steve"
> Cleartext-Password = "testing"
> EAP-Code = Response
> EAP-Id = 210
> EAP-Type-Identity = "steve"
> Message-Authenticator = 0x00
> EAP-Message = 0x02d2000a017374657665
> rad_recv: Access-Request packet from host 127.0.0.1 port 41640, id=248, length=57
> User-Name = "steve"
> Message-Authenticator = 0x4fc4db29fcb26901ab1ba874df49276d
> EAP-Message = 0x02d2000a017374657665
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "steve", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 210 length 10
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry steve at line 76
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 248 to 127.0.0.1 port 41640
> EAP-Message = 0x01d30016041045d96dbd6f315e0bf94fb03e18fdb52c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> Received Access-Challenge packet from host 127.0.0.1 port 1812, id=248, length=80
> EAP-Message = 0x01d30016041045d96dbd6f315e0bf94fb03e18fdb52c
> Message-Authenticator = 0x23d8989d4cd311e775fb944cae8bd9c3
> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
> EAP-Id = 211
> EAP-Code = Request
> EAP-Type-MD5 = 0x1045d96dbd6f315e0bf94fb03e18fdb52c
> Sending Access-Request packet to host 127.0.0.1 port 1812, id=249, length=57
> User-Name = "steve"
> Cleartext-Password = "testing"
> EAP-Code = Response
> EAP-Id = 211
> Message-Authenticator = 0x00000000000000000000000000000000
> EAP-Type-MD5 = 0x106fd2692b305d022523887b8df5d1c611
> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
> EAP-Message = 0x02d3001604106fd2692b305d022523887b8df5d1c611
> rad_recv: Access-Request packet from host 127.0.0.1 port 41640, id=249, length=87
> User-Name = "steve"
> Message-Authenticator = 0x32c12f3847342e17edf14ba27dc257fa
> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
> EAP-Message = 0x02d3001604106fd2692b305d022523887b8df5d1c611
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "steve", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 211 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry steve at line 76
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/md5
> [eap] processing type md5
> [eap] Freeing handler
> ++[eap] returns ok
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> ++[reply] returns noop
> Sending Access-Accept of id 249 to 127.0.0.1 port 41640
> EAP-Message = 0x03d30004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "steve"
> Chargeable-User-Identity = "moonshot"
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> Received Access-Accept packet from host 127.0.0.1 port 1812, id=249, length=61
> EAP-Message = 0x03d30004
> Message-Authenticator = 0xd2955a116e5931bcdcad9f7872e039d0
> User-Name = "steve"
> Chargeable-User-Identity = "moonshot"
> EAP-Id = 211
> EAP-Code = Success
> [root@localhost ~]# Cleaning up request 4 ID 248 with timestamp +3580
> Cleaning up request 5 ID 249 with timestamp +3580
> Ready to process requests.
> ===========================================================================
>
> This is where it fails:
>
> [steve@localhost ~]$ /opt/moonshot/bin/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" 127.0.0.1 host@localhost bar
>
> Sending init_sec_context token (size=38)...continue needed...
> CTRL-EVENT-EAP-STARTED EAP authentication started
> Sending init_sec_context token (size=30)...continue needed...
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
> Sending init_sec_context token (size=46)...continue needed...
> GSS-API error initializing context: Invalid token was supplied
> GSS-API error initializing context: Missing required inner token
>
> Probably a RADIUS configuration error:
>
> Go back and check each file:
>
> [steve@localhost ~]$ cat /home/steve/.gss_eap_id
> steve testing
> [steve@localhost ~]$
>
> ============================================================
>
> /etc/raddb/users:
>
> # This is a complete entry for "steve". Note that there is no Fall-Through
> # entry so that no DEFAULT entry will be used, and the user will NOT
> # get any attributes in addition to the ones listed here.
> # steve Cleartext-Password := "testing"
>
> ============================================================
>
> /etc/raddb/sites-enabled/inner-tunnel
>
>
> update outer.reply {
> User-Name = "%{request:User-Name}"
> }
>
> ===========================================================
> /etc/raddb/eap.conf
>
> ttls {
> # The tunneled EAP session needs a default
> # EAP type which is separate from the one for
> # the non-tunneled EAP module. Inside of the
> # TTLS tunnel, we recommend using EAP-MD5.
> # If the request does not contain an EAP
> # conversation, then this configuration entry
> # is ignored.
> default_eap_type = md5
>
>
> ============================================================
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> }
>
> Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
> attr_filter attr_filter.access_reject {
> attrsfile = "/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> }
>
> =============================================================
> [root@localhost ~]# cat /etc/radsec.conf
>
> dictionary = "/etc/raddb/dictionary"
>
> realm gss-eap {
> type = "UDP"
> timeout = 5
> retries = 3
> server {
> hostname = "127.0.0.1"
> service = "1812"
> secret = "testing123"
> }
> }
>
>
> =============================================================
> typo ??? ~/.gsseap_id ???
>
> [steve@localhost ~]$ cat .gss_eap_id
> steve testing
>
> =============================================================
>
> Typo? "/etc/radsc.conf"
>
> =============================================================
>
> [root@localhost ~]# cat /etc/shibboleth/attribute-map.xml
> <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:89" id="local-login-user"/>
> </Attributes>
>
> =============================================================
>
> [root@localhost ~]# cat /etc/shibboleth/shibboleth2.xml | grep -n -C 5 GSSAPI
> 85-
> 86- <!-- Map to extract attributes from SAML assertions. -->
> 87- <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
> 88-
> 89- <!-- WARNING: The order of statements is important --->
> 90: <AttributeExtractor type="GSSAPI" validate="true" path="attribute-map.xml"/>
> 91-
> 92- <!-- Use a SAML query if no attributes are supplied during SSO. -->
> 93- <AttributeResolver type="Query" subjectMatch="true"/>
> 94-
> 95- <!-- Default filtering policy for recognized attributes, lets other data pass. -->
>
> =============================================================
> [root@localhost ~]# cat /etc/gss/mech
> #
> # Sample mechanism glue configuration for EAP GSS mechanism.
> #
> # Any encryption type supported by Kerberos can be defined as the
> # last element of the OID arc.
> #
> eap-aes128 1.3.6.1.4.1.5322.22.1.17 mech_eap.so
> eap-aes256 1.3.6.1.4.1.5322.22.1.18 mech_eap.so
> ==============================================================
>
> Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
>
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] WARNING NAS did not set User-Name. Setting it locally from EAP Identity
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 127.0.0.1 port 50019
> EAP-Message = 0x010100160410830cb9b9db0e99f7b53564b0cf060222
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x50d5c1be50d4c5c038fc13647aff8d5a
> Finished request 0.
>
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Proxy reply, or no User-Name. Ignoring.
> ++[suffix] returns ok
> [eap] EAP packet type response id 1 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] Broken NAS did not set User-Name, setting from EAP Identity
> [eap] EAP/md5
> [eap] processing type md5
> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
> [eap] Handler failed in EAP/md5
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
>
> ============================================================
> [root@localhost ~]# radtest steve testing 127.0.0.1 1812 testing123
> Sending Access-Request of id 130 to 127.0.0.1 port 1812
> User-Name = "steve"
> User-Password = "testing"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 1812
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=130, length=30
> Chargeable-User-Identity = "moonshot"
> ==========================================================
> rad_recv: Access-Request packet from host 127.0.0.1 port 44236, id=130, length=57
> User-Name = "steve"
> User-Password = "testing"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 1812
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "steve", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry steve at line 76
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "testing"
> [pap] Using clear text password "testing"
> [pap] User authenticated successfully
> ++[pap] returns ok
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> ++[reply] returns noop
> Sending Access-Accept of id 130 to 127.0.0.1 port 44236
> Chargeable-User-Identity = "moonshot"
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 3 ID 130 with timestamp +1739
> Ready to process requests.
> ==========================================================
> More detailed:
>
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
> Threads: total/active/spare threads = 5/0/5
> Waking up in 0.9 seconds.
> Thread 5 got semaphore
> Thread 5 handling request 0, (1 handled so far)
> [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
> [<thread>] +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Proxy reply, or no User-Name. Ignoring.
> ++[suffix] returns ok
> [eap] EAP packet type response id 0 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] WARNING NAS did not set User-Name. Setting it locally from EAP Identity
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Finished request 0.
> Going to the next request
> Thread 5 waiting to be assigned a request
> Waking up in 0.9 seconds.
> Thread 4 got semaphore
> Thread 4 handling request 1, (1 handled so far)
> [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
> [<thread>] +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Proxy reply, or no User-Name. Ignoring.
> ++[suffix] returns ok
> [eap] EAP packet type response id 1 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] Broken NAS did not set User-Name, setting from EAP Identity
> [eap] EAP/md5
> [eap] processing type md5
> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
> [eap] Handler failed in EAP/md5
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> expand: BAA: bad password received -> BAA: bad password received
> Login incorrect: [@/<via Auth-Type = EAP>] (from client localhost port 0) BAA: bad password received
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> @
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Thread 4 waiting to be assigned a request
> Sending delayed reject for request 1
> Waking up in 3.9 seconds.
> Cleaning up request 0 ID 0 with timestamp +27
> Waking up in 1.0 seconds.
> Cleaning up request 1 ID 2 with timestamp +27
> Ready to process requests.
> [root@localhost ~]#
>
>
>
>
>
>
> <brian.vcf>
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
|
