And it should be qualified with the realm.
Sent from my iPhone
On 10/11/2011, at 11:28 AM, Adam Bishop <[log in to unmask]> wrote:
> Another case of the wiki eating formatting - .gss_eap_id should be on two lines, first line user, second line password.
>
> Regards,
>
> Adam Bishop
> JANET(UK)
>
> On 10 Nov 2011, at 00:13, Brian Abram wrote:
>
>> JANET(UK) Sophos Appliance: Potentially dangerous attachments were identified in
>> this message. Only open the attachment if it is from a known trusted source.
>>
>>
>> Radius is mostly working apart from the final stage:
>>
>> I went back and visited each configuration file
>>
>> more info below
>>
>> radtest and radeapclient passed
>>
>> ===========================================================
>> radeapclient
>> ===========================================================
>> ( echo "User-Name = \"steve\""; \
>> echo "Cleartext-Password = \"testing\""; \
>> echo "EAP-Code = Response"; \
>> echo "EAP-Id = 210"; \
>> echo "EAP-Type-Identity = \"steve\""; \
>> echo "Message-Authenticator = 0x00"; ) | \
>> radeapclient -x 127.0.0.1 auth testing123
>>
>>
>> [root@localhost ~]# ( echo "User-Name = \"steve\""; \
>>> echo "Cleartext-Password = \"testing\""; \
>>> echo "EAP-Code = Response"; \
>>> echo "EAP-Id = 210"; \
>>> echo "EAP-Type-Identity = \"steve\""; \
>>> echo "Message-Authenticator = 0x00"; ) | \
>>> radeapclient -x 127.0.0.1 auth testing123
>> Sending Access-Request packet to host 127.0.0.1 port 1812, id=248, length=0
>> User-Name = "steve"
>> Cleartext-Password = "testing"
>> EAP-Code = Response
>> EAP-Id = 210
>> EAP-Type-Identity = "steve"
>> Message-Authenticator = 0x00
>> EAP-Message = 0x02d2000a017374657665
>> rad_recv: Access-Request packet from host 127.0.0.1 port 41640, id=248, length=57
>> User-Name = "steve"
>> Message-Authenticator = 0x4fc4db29fcb26901ab1ba874df49276d
>> EAP-Message = 0x02d2000a017374657665
>> # Executing section authorize from file /etc/raddb/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "steve", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] EAP packet type response id 210 length 10
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>> [files] users: Matched entry steve at line 76
>> ++[files] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING: Auth-Type already set. Not setting to PAP
>> ++[pap] returns noop
>> Found Auth-Type = EAP
>> # Executing group from file /etc/raddb/sites-enabled/default
>> +- entering group authenticate {...}
>> [eap] EAP Identity
>> [eap] processing type md5
>> rlm_eap_md5: Issuing Challenge
>> ++[eap] returns handled
>> Sending Access-Challenge of id 248 to 127.0.0.1 port 41640
>> EAP-Message = 0x01d30016041045d96dbd6f315e0bf94fb03e18fdb52c
>> Message-Authenticator = 0x00000000000000000000000000000000
>> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
>> Finished request 4.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Received Access-Challenge packet from host 127.0.0.1 port 1812, id=248, length=80
>> EAP-Message = 0x01d30016041045d96dbd6f315e0bf94fb03e18fdb52c
>> Message-Authenticator = 0x23d8989d4cd311e775fb944cae8bd9c3
>> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
>> EAP-Id = 211
>> EAP-Code = Request
>> EAP-Type-MD5 = 0x1045d96dbd6f315e0bf94fb03e18fdb52c
>> Sending Access-Request packet to host 127.0.0.1 port 1812, id=249, length=57
>> User-Name = "steve"
>> Cleartext-Password = "testing"
>> EAP-Code = Response
>> EAP-Id = 211
>> Message-Authenticator = 0x00000000000000000000000000000000
>> EAP-Type-MD5 = 0x106fd2692b305d022523887b8df5d1c611
>> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
>> EAP-Message = 0x02d3001604106fd2692b305d022523887b8df5d1c611
>> rad_recv: Access-Request packet from host 127.0.0.1 port 41640, id=249, length=87
>> User-Name = "steve"
>> Message-Authenticator = 0x32c12f3847342e17edf14ba27dc257fa
>> State = 0xe86a6bd0e8b96f2e95e26f7124d14b38
>> EAP-Message = 0x02d3001604106fd2692b305d022523887b8df5d1c611
>> # Executing section authorize from file /etc/raddb/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "steve", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] EAP packet type response id 211 length 22
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>> [files] users: Matched entry steve at line 76
>> ++[files] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING: Auth-Type already set. Not setting to PAP
>> ++[pap] returns noop
>> Found Auth-Type = EAP
>> # Executing group from file /etc/raddb/sites-enabled/default
>> +- entering group authenticate {...}
>> [eap] Request found, released from the list
>> [eap] EAP/md5
>> [eap] processing type md5
>> [eap] Freeing handler
>> ++[eap] returns ok
>> # Executing section post-auth from file /etc/raddb/sites-enabled/default
>> +- entering group post-auth {...}
>> ++[exec] returns noop
>> ++[reply] returns noop
>> Sending Access-Accept of id 249 to 127.0.0.1 port 41640
>> EAP-Message = 0x03d30004
>> Message-Authenticator = 0x00000000000000000000000000000000
>> User-Name = "steve"
>> Chargeable-User-Identity = "moonshot"
>> Finished request 5.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Received Access-Accept packet from host 127.0.0.1 port 1812, id=249, length=61
>> EAP-Message = 0x03d30004
>> Message-Authenticator = 0xd2955a116e5931bcdcad9f7872e039d0
>> User-Name = "steve"
>> Chargeable-User-Identity = "moonshot"
>> EAP-Id = 211
>> EAP-Code = Success
>> [root@localhost ~]# Cleaning up request 4 ID 248 with timestamp +3580
>> Cleaning up request 5 ID 249 with timestamp +3580
>> Ready to process requests.
>> ===========================================================================
>>
>> This is where it fails:
>>
>> [steve@localhost ~]$ /opt/moonshot/bin/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" 127.0.0.1 host@localhost bar
>>
>> Sending init_sec_context token (size=38)...continue needed...
>> CTRL-EVENT-EAP-STARTED EAP authentication started
>> Sending init_sec_context token (size=30)...continue needed...
>> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
>> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
>> Sending init_sec_context token (size=46)...continue needed...
>> GSS-API error initializing context: Invalid token was supplied
>> GSS-API error initializing context: Missing required inner token
>>
>> Probably a RADIUS configuration error:
>>
>> Go back and check each file:
>>
>> [steve@localhost ~]$ cat /home/steve/.gss_eap_id
>> steve testing
>> [steve@localhost ~]$
>>
>> ============================================================
>>
>> /etc/raddb/users:
>>
>> # This is a complete entry for "steve". Note that there is no Fall-Through
>> # entry so that no DEFAULT entry will be used, and the user will NOT
>> # get any attributes in addition to the ones listed here.
>> # steve Cleartext-Password := "testing"
>>
>> ============================================================
>>
>> /etc/raddb/sites-enabled/inner-tunnel
>>
>>
>> update outer.reply {
>> User-Name = "%{request:User-Name}"
>> }
>>
>> ===========================================================
>> /etc/raddb/eap.conf
>>
>> ttls {
>> # The tunneled EAP session needs a default
>> # EAP type which is separate from the one for
>> # the non-tunneled EAP module. Inside of the
>> # TTLS tunnel, we recommend using EAP-MD5.
>> # If the request does not contain an EAP
>> # conversation, then this configuration entry
>> # is ignored.
>> default_eap_type = md5
>>
>>
>> ============================================================
>> Module: Instantiating eap-ttls
>> ttls {
>> default_eap_type = "md5"
>> copy_request_to_tunnel = no
>> use_tunneled_reply = no
>> virtual_server = "inner-tunnel"
>> include_length = yes
>> }
>>
>> Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
>> attr_filter attr_filter.access_reject {
>> attrsfile = "/etc/raddb/attrs.access_reject"
>> key = "%{User-Name}"
>> }
>>
>> =============================================================
>> [root@localhost ~]# cat /etc/radsec.conf
>>
>> dictionary = "/etc/raddb/dictionary"
>>
>> realm gss-eap {
>> type = "UDP"
>> timeout = 5
>> retries = 3
>> server {
>> hostname = "127.0.0.1"
>> service = "1812"
>> secret = "testing123"
>> }
>> }
>>
>>
>> =============================================================
>> typo ??? ~/.gsseap_id ???
>>
>> [steve@localhost ~]$ cat .gss_eap_id
>> steve testing
>>
>> =============================================================
>>
>> Typo? "/etc/radsc.conf"
>>
>> =============================================================
>>
>> [root@localhost ~]# cat /etc/shibboleth/attribute-map.xml
>> <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>> <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:89" id="local-login-user"/>
>> </Attributes>
>>
>> =============================================================
>>
>> [root@localhost ~]# cat /etc/shibboleth/shibboleth2.xml | grep -n -C 5 GSSAPI
>> 85-
>> 86- <!-- Map to extract attributes from SAML assertions. -->
>> 87- <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
>> 88-
>> 89- <!-- WARNING: The order of statements is important --->
>> 90: <AttributeExtractor type="GSSAPI" validate="true" path="attribute-map.xml"/>
>> 91-
>> 92- <!-- Use a SAML query if no attributes are supplied during SSO. -->
>> 93- <AttributeResolver type="Query" subjectMatch="true"/>
>> 94-
>> 95- <!-- Default filtering policy for recognized attributes, lets other data pass. -->
>>
>> =============================================================
>> [root@localhost ~]# cat /etc/gss/mech
>> #
>> # Sample mechanism glue configuration for EAP GSS mechanism.
>> #
>> # Any encryption type supported by Kerberos can be defined as the
>> # last element of the OID arc.
>> #
>> eap-aes128 1.3.6.1.4.1.5322.22.1.17 mech_eap.so
>> eap-aes256 1.3.6.1.4.1.5322.22.1.18 mech_eap.so
>> ==============================================================
>>
>> Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
>> Listening on proxy address * port 1814
>> Ready to process requests.
>>
>> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = EAP
>> # Executing group from file /etc/raddb/sites-enabled/default
>> +- entering group authenticate {...}
>> [eap] WARNING NAS did not set User-Name. Setting it locally from EAP Identity
>> [eap] EAP Identity
>> [eap] processing type md5
>> rlm_eap_md5: Issuing Challenge
>> ++[eap] returns handled
>> Sending Access-Challenge of id 0 to 127.0.0.1 port 50019
>> EAP-Message = 0x010100160410830cb9b9db0e99f7b53564b0cf060222
>> Message-Authenticator = 0x00000000000000000000000000000000
>> State = 0x50d5c1be50d4c5c038fc13647aff8d5a
>> Finished request 0.
>>
>> # Executing section authorize from file /etc/raddb/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] Proxy reply, or no User-Name. Ignoring.
>> ++[suffix] returns ok
>> [eap] EAP packet type response id 1 length 22
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>> ++[files] returns noop
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = EAP
>> # Executing group from file /etc/raddb/sites-enabled/default
>> +- entering group authenticate {...}
>> [eap] Request found, released from the list
>> [eap] Broken NAS did not set User-Name, setting from EAP Identity
>> [eap] EAP/md5
>> [eap] processing type md5
>> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
>> [eap] Handler failed in EAP/md5
>> [eap] Failed in EAP select
>> ++[eap] returns invalid
>> Failed to authenticate the user.
>>
>> ============================================================
>> [root@localhost ~]# radtest steve testing 127.0.0.1 1812 testing123
>> Sending Access-Request of id 130 to 127.0.0.1 port 1812
>> User-Name = "steve"
>> User-Password = "testing"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=130, length=30
>> Chargeable-User-Identity = "moonshot"
>> ==========================================================
>> rad_recv: Access-Request packet from host 127.0.0.1 port 44236, id=130, length=57
>> User-Name = "steve"
>> User-Password = "testing"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>> # Executing section authorize from file /etc/raddb/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "steve", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> [files] users: Matched entry steve at line 76
>> ++[files] retu
|