Freeradius 2x and Mac wirelless Authentication Big Headache

binhorp · August 14, 2010, 10:32am

Hello everyone!

I’m having a problem to authenticate mac wireless freeradius mikrotik in February on “1171 was quiet”

5.5 use debian lenny postgres and php can authenticate hotspot, PPPoE, DHCP, Winbox, ssh etc … mac hard but wirelless ta

I tried parameters: “User-Passord” of this in the log

Sat Aug 14 00:55:02 2010: Auth: Login incorrect: [00:05:9 E: 8B: 11:35 / 00:05:9 E: 8B: 11:35] (from client server port 0 cli 00-05 -9E-8B-11-35)

attribute “Password”

Sat Aug 14 00:56:09 2010: Auth: Login incorrect (rlm_pap: empty password supplied): [00:05:9 E: 89:4 B: 09 /] (from client server port 0 cli 00-05-9E-89 -4B-09)

attribute “Cleartext-Password”

Sat Aug 14 00:56:10 2010: Auth: Login incorrect: [00:05:9 E: 83: BBA /] (from client server port 0 cli 00-05-9E-83-BB-DA)

I wonder if anyone ever had this problem and could give me a light as I turned the net 10 times and I find no solution.

Below one of my debug freeradius

Thank you for your attention!

Starting - reading configuration files …

including configuration file /etc/freeradius/radiusd.conf

including configuration file /etc/freeradius/proxy.conf

including configuration file /etc/freeradius/clients.conf

including configuration file /etc/freeradius/snmp.conf

including configuration file /etc/freeradius/eap.conf

including configuration file /etc/freeradius/sql.conf

including configuration file /etc/freeradius/sql/postgresql/dialup.conf

including configuration file /etc/freeradius/sql/postgresql/counter.conf

including configuration file /etc/freeradius/policy.conf

including files in directory /etc/freeradius/sites-enabled/

including configuration file /etc/freeradius/sites-enabled/inner-tunnel

including configuration file /etc/freeradius/sites-enabled/default

including dictionary file /etc/freeradius/dictionary

main {

prefix = “/usr”

localstatedir = “/var”

logdir = “/var/log/freeradius”

libdir = “/usr/lib/freeradius”

radacctdir = “/var/log/freeradius/radacct”

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

allow_core_dumps = yes

pidfile = “/var/run/freeradius/freeradius.pid”

user = “freerad”

group = “freerad”

checkrad = “/usr/sbin/checkrad”

debug_level = 0

proxy_requests = no

security {

max_attributes = 200

reject_delay = 1

status_server = no

}

client 187.28.xxx.x {

require_message_authenticator = no

secret = “*******”

shortname = “SERVIDOR”

nastype = “other”

}

client 187.28.xxx.x {

require_message_authenticator = no

secret = “teste”

shortname = “SERVIDOR_VIRTUAL_MIKROTIK_BINHO”

nastype = “other”

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

retry_delay = 5

retry_count = 3

default_fallback = no

dead_time = 120

wake_all_if_all_dead = no

}

home_server localhost {

ipaddr = 127.0.0.1

port = 1812

type = “auth”

secret = “testing123”

response_window = 20

max_outstanding = 65536

zombie_period = 40

status_check = “status-server”

ping_check = “none”

ping_interval = 30

check_interval = 30

num_answers_to_alive = 3

num_pings_to_alive = 3

revive_interval = 120

status_check_timeout = 4

}

home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

}

realm example.com {

auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating exec

exec {

wait = yes

input_pairs = “request”

shell_escape = yes

}

Module: Linked to module rlm_expr

Module: Instantiating expr

Module: Linked to module rlm_expiration

Module: Instantiating expiration

expiration {

reply-message = "Password Has Expired "

}

Module: Linked to module rlm_logintime

Module: Instantiating logintime

logintime {

reply-message = "You are calling outside your allowed timespan "

minimum-timeout = 60

}

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

modules {

Module: Checking authenticate {…} for more modules to load

Module: Linked to module rlm_pap

Module: Instantiating pap

pap {

encryption_scheme = “auto”

auto_header = no

}

Module: Linked to module rlm_chap

Module: Instantiating chap

Module: Linked to module rlm_mschap

Module: Instantiating mschap

mschap {

use_mppe = yes

require_encryption = no

require_strong = no

with_ntdomain_hack = no

}

Module: Linked to module rlm_unix

Module: Instantiating unix

unix {

radwtmp = “/var/log/freeradius/radwtmp”

}

Module: Linked to module rlm_eap

Module: Instantiating eap

eap {

default_eap_type = “md5”

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

}

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

gtc {

challenge = "Password: "

auth_type = “PAP”

}

rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.

rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.

rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

mschapv2 {

with_ntdomain_hack = no

}

Module: Checking authorize {…} for more modules to load

Module: Linked to module rlm_realm

Module: Instantiating suffix

realm suffix {

format = “suffix”

delimiter = “@”

ignore_default = no

ignore_null = no

}

Module: Linked to module rlm_files

Module: Instantiating files

files {

usersfile = “/etc/freeradius/users”

acctusersfile = “/etc/freeradius/acct_users”

compat = “no”

}

Module: Checking session {…} for more modules to load

Module: Linked to module rlm_radutmp

Module: Instantiating radutmp

radutmp {

filename = “/var/log/freeradius/radutmp”

username = “%{User-Name}”

case_sensitive = yes

check_with_nas = yes

perm = 384

callerid = yes

}

Module: Checking post-proxy {…} for more modules to load

Module: Checking post-auth {…} for more modules to load

Module: Linked to module rlm_attr_filter

Module: Instantiating attr_filter.access_reject

attr_filter attr_filter.access_reject {

attrsfile = “/etc/freeradius/attrs.access_reject”

key = “%{User-Name}”

}

server {

modules {

Module: Checking authenticate {…} for more modules to load

Module: Checking authorize {…} for more modules to load

Module: Linked to module rlm_preprocess

Module: Instantiating preprocess

preprocess {

huntgroups = “/etc/freeradius/huntgroups”

hints = “/etc/freeradius/hints”

with_ascend_hack = no

ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no

with_alvarion_vsa_hack = no

}

Module: Linked to module rlm_sql

Module: Instantiating sql

sql {

driver = “rlm_sql_postgresql”

server = “localhost”

port = “”

login = “*******”

password = “*******”

radius_db = “sis-prov”

read_groups = yes

sqltrace = yes

sqltracefile = “/var/log/freeradius/sqltrace.sql”

readclients = yes

deletestalesessions = yes

num_sql_socks = 5

sql_user_name = “%{User-Name}”

default_user_profile = “”

connect_failure_retry_delay = 60

simul_count_query = “”

simul_verify_query = “”

postauth_query = “INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (‘%{User-Name}’, ‘%{%{User-Password}:-Chap-Password}’, ‘%{reply:Packet-Type}’, NOW())”

safe-characters = “@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /”

}

rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked

rlm_sql (sql): Attempting to connect to admin@localhost:/sagu

rlm_sql (sql): starting 0

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0

rlm_sql (sql): Connected new DB handle, #0

rlm_sql (sql): starting 1

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1

rlm_sql (sql): Connected new DB handle, #1

rlm_sql (sql): starting 2

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #2

rlm_sql (sql): Connected new DB handle, #2

rlm_sql (sql): starting 3

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3

rlm_sql (sql): Connected new DB handle, #3

rlm_sql (sql): starting 4

rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4

rlm_sql (sql): Connected new DB handle, #4

rlm_sql (sql): Processing generate_sql_clients

rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas

rlm_sql (sql): Reserving sql socket id: 4

rlm_sql_postgresql: query: SELECT id, nasname, shortname, type, secret FROM nas

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 5

rlm_sql (sql): Released sql socket id: 4

Module: Checking preacct {…} for more modules to load

Module: Linked to module rlm_acct_unique

Module: Instantiating acct_unique

acct_unique {

key = “User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port”

}

Module: Checking accounting {…} for more modules to load

Module: Instantiating attr_filter.accounting_response

attr_filter attr_filter.accounting_response {

attrsfile = “/etc/freeradius/attrs.accounting_response”

key = “%{User-Name}”

}

Module: Checking session {…} for more modules to load

Module: Checking post-proxy {…} for more modules to load

Module: Checking post-auth {…} for more modules to load

}

radiusd: #### Opening IP addresses and Ports ####

listen {

type = “auth”

ipaddr = *

port = 0

SurferTim · August 14, 2010, 10:51am

I do not see any authentication attempt in the debug output. Skip all the radius startup responses, and post the results of a login transaction from the router. You might want to post any router log entries about the transaction also.

Maybe your startup post was incomplete, but as I recall, “radiusd -X” finishes startup with something like:
Waiting for input

binhorp · August 14, 2010, 11:34am

Thank SurferTim
Below is part of an attempt to debug authentication
Thank you for your attention!

rad_recv: Access-Request packet from host 187.28.126.3 port 39327, id=92, length=147
Service-Type = Framed-User
NAS-Port-Id = “wlan3”
User-Name = “00:05:9E:83:C9:AF”
Calling-Station-Id = “00-05-9E-83-C9-AF”
Called-Station-Id = “00-02-6F-30-36-BD:Speed_BP1”
User-Password = “”
NAS-Identifier = “SERVIDOR_BOA_PASSAGEM”
NAS-IP-Address = 187.28.126.3
± entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No ‘@’ in User-Name = “00:05:9E:83:C9:AF”, looking up realm NULL
rlm_realm: No such realm “NULL”
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} → 00:05:9E:83:C9:AF
rlm_sql (sql): sql_set_user escaped user → ‘00:05:9E:83:C9:AF’
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = ‘%{SQL-User-Name}’ ORDER BY id → SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = ‘00:05:9E:83:C9:AF’ ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = ‘00:05:9E:83:C9:AF’ ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
expand: SELECT GroupName FROM usergroup WHERE UserName=‘%{SQL-User-Name}’ ORDER BY priority → SELECT GroupName FROM usergroup WHERE UserName=‘00:05:9E:83:C9:AF’ ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName=‘00:05:9E:83:C9:AF’ ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 1
rlm_sql (sql): User 00:05:9E:83:C9:AF not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [00:05:9E:83:C9:AF/] (from client SERVIDOR_BOA_PASSAGEM port 0 cli 00-05-9E-83-C9-AF)
Found Post-Auth-Type Reject
± entering group REJECT
expand: %{User-Name} → 00:05:9E:83:C9:AF
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 30 for 1 seconds
Going to the next request
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 187.28.126.3 port 38425, id=90, length=147
Waiting to send Access-Reject to client SERVIDOR_BOA_PASSAGEM port 38425 - ID: 90
Waking up in 0.1 seconds.
Sending delayed reject for request 27
Sending Access-Reject of id 89 to 187.28.126.3 port 58907
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 187.28.126.3 port 52102, id=91, length=147
Waiting to send Access-Reject to client SERVIDOR_BOA_PASSAGEM port 52102 - ID: 91
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 187.28.126.3 port 39327, id=92, length=147
Waiting to send Access-Reject to client SERVIDOR_BOA_PASSAGEM port 39327 - ID: 92
Waking up in 0.1 seconds.

SurferTim · August 14, 2010, 11:43am

Here is the important part. Looks like it may be the default Auth-Type in your radius setup.

auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.

Check your radiusd.conf file in the ‘authenticate’ section.

ADD: Are you certain this user is in your SQL database? I just saw this above the Auth-Type message.
rlm_sql (sql): User 00:05:9E:83:C9:AF not found

binhorp · August 14, 2010, 7:31pm

My config is soos
Ek het probeer om verskeie conf en tot nou toe kon ek nie maak dit werk

authorize {

preprocess
pap
chap
mschap

suffix

eap {
ok = return
}

unix

files
sql
expiration
logintime

}

authenticate {

Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

unix

eap
}

SurferTim · August 14, 2010, 9:16pm

The radius debug shows the user 00:05:9E:83:C9:AF not found. Is this user in your database?