Hi,

/etc/radsec.conf contains:

realm gss-eap {
     type = "UDP"
     timeout = 5
     retries = 3
     server {
         hostname = "localhost"
         service = "1812"
         secret = "testing123"
     }
}

I've tried the following for hostname (restarting freeradius and 
gss-server each time) with no difference in behaviour:

moonshot-test.is.ed.ac.uk
127.0.0.1

Finally iptables isn't running on the box at the moment which I think 
(hope?) rules out the possibility of it being a firewall issue ;-)

Finally just to make sure that radiusd is indeed working and listening 
as it claims I tried telnetting to port 1812 first (connection refused) 
but having done a little bit of reading I should be using radtest/radclient.

I've just installed freeradius-utils and tried the following:

[root@moonshot-test ~]# radtest steve testing localhost 10 testing123
Sending Access-Request of id 56 to 127.0.0.1 port 1812
	User-Name = "steve"
	User-Password = "testing"
	NAS-IP-Address = 129.215.17.225
	NAS-Port = 10
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=56, 
length=679
	SAML-AAA-Assertion = "<saml:Assertion 
xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" 
IssueInstant=\"2011-03-19T08:30:00Z\" ID=\"foo\" Version=\"2.0\">"
	SAML-AAA-Assertion = 
"<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer><saml:AttributeStatement>"
	SAML-AAA-Assertion = "<saml:Attribute 
NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" 
Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.6\"><saml:AttributeValue>steve@local</saml:AttributeValue></saml:Attribute>"
	SAML-AAA-Assertion = "<saml:Attribute 
NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" 
Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>"
	SAML-AAA-Assertion = "</saml:AttributeStatement></saml:Assertion>"


So going direct to radius appears to work but gss-server doesn't want to 
relay through radiusd? Any ideas?



On 09/07/13 11:12, Stefan Paetow wrote:
> Hi Mark,
>
> What does your /etc/radsec.conf file look like?
>
> It should contain this:
>
> realm gss-eap {
>      type = "UDP"
>      timeout = 5
>      retries = 3
>      server {
>          hostname = "freeradius host name" (can be 127.0.0.1)
>          service = "1812"
>          secret = " radius secret"
>      }
> }
>
> Also, check that on CentOS, the firewall has ports 1812-1814 open. :-)
>
> Stefan
>
>
>> -----Original Message-----
>> From: Moonshot community list [mailto:MOONSHOT-
>> [log in to unmask]] On Behalf Of Mark Cairney
>> Sent: 09 July 2013 11:09
>> To: [log in to unmask]
>> Subject: gss-server not talking to freeradius?
>>
>> Hi,
>>
>> I've been following the new instructions on how to set up a test
>> service on Centos. I'm using standard Centos 6.4 and as far as I can
>> tell have followed the instructions detailed on the wiki[1] to the
>> letter but it doesn't appear to work.
>>
>> radiusd appears to start up OK (I've included the output of it running
>> in debug as an attachment) but gss-server doesn't appear to want to
>> talk to it at all. I'm running the command:
>>
>> gss-server -verbose -logfile /tmp/gss-server.log host@moonshot-
>> test.is.ed.ac.uk & to initiate the gss-server
>>
>> I then run:
>>
>> gss-client -mech "{1.3.6.1.5.5.15.1.1.18 }" 127.0.0.1 host@moonshot-
>> test.is.ed.ac.uk bar
>>
>> This generates the following output:
>> Sending init_sec_context token (size=53)...continue needed...
>> CTRL-EVENT-EAP-STARTED EAP authentication started Sending
>> init_sec_context token (size=29)...continue needed...
>> GSS-API error initializing context: Unspecified GSS failure.  Minor
>> code may provide more information GSS-API error initializing context:
>> Generic RADIUS failure
>>
>> The output of /tmp/gss-server.log is:
>>
>> tail /tmp/gss-server.log
>> 73 68 6f 74 2d 74 65 73 74 2e 69 73 2e 65 64 2e
>> 61 63 2e 75 6b 80 00 00 05 00 00 00 05 01 00 00
>> 05 01
>> continue needed...
>> Received token (size=29):
>> 60 1b 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
>> 00 00 04 00 00 00 06 02 00 00 06 01 40
>> Sending accept_sec_context token (size=31):
>> 60 1d 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
>> 00 00 01 00 00 00 08 00 0d 00 00 00 00 00 10
>>
>> Running either gss-server or gss-client results in no additional output
>> to radiusd beyond that which I've attached which makes me think that it
>> isn't talking to radius at all but I've no idea why.
>>
>> I should add that I have set GSSAPIStrictAcceptorCheck to no in
>> /etc/ssh/sshd_config.
>>
>>
>> [1]https://community.ja.net/groups/moonshot/wiki/getting-started-
>> moonshot-creating-centos-6-environment
>>
>>
>>
>> --
>> /****************************
>>
>> Mark Cairney
>> ITI UNIX Section
>> Information Services
>> University of Edinburgh
>>
>> Tel: 0131 650 6565
>> Email: [log in to unmask]
>>
>> *******************************/
>>
>> The University of Edinburgh is a charitable body, registered in
>> Scotland, with registration number SC005336.
>
>

-- 
/****************************

Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: [log in to unmask]

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.