Author Topic: Radius - Where is my error  (Read 8960 times)

thorsten

  • Guest
Radius - Where is my error
« on: January 01, 2013, 02:56:29 pm »
Please help:

I had Zentyal 2.2 running perfectly but after an updgrade I do not manage Radius devices.

- Zentyal "Radius" Module is running
- Radius Certificate is active
- "CA" Module is running
- IP of server and client are set correctly
- Shared secret passwords are set to "test" for client and server
- Clients are activated
- A Zentyal group called "Radius" is created containing some Zentyal users
- The correct group is selected within the Radius module
- Module "Users and groups" is running

now I try e.g. to join my I-Pad using WPA-Radius authentification from my radius enable access point
The I-Pad receives the correct Zentyal certificate
  • - from is i think that I set up client, server, IPs, shared secret, CA etc. correctly, otherwise the Radius client (my AP) would not be able to show the Zentyal Certificate to the AP-Client (My I-Pad)

Than my I-Pad asks for User name and Password -> Whatever I typ seems to be incorrect, the answer is "wrong User / Password" combination.
Please believe my - I even used the user "fooo" with the password "barr" ... It did not work.

What may I have missed???

Thx
Thorsten

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #1 on: January 03, 2013, 02:32:10 pm »
bump

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #2 on: January 03, 2013, 06:37:17 pm »
Older AP?  You might need to put a port forward rule in redirecting port 1645 to port 1812.  Are you sure that the certificate is coming all the way from Zentyal and not the AP?  Watch /var/log/freeradius/radius.log while you are attempting to log in and watch for activity (eg tail -f /var/log/freeradius/radius.log)

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #3 on: January 03, 2013, 11:26:22 pm »
Hi Half_life,

please find screen shots from my I-Pad and from my Zentyal CA: there is a perfect match of time stamp of the Certificate shown on my I-Pad and on the CA (Dez. 20th, 2022 / 00:28:33 +1h for Berlin vs. GMT, respectively). Yes, I am sure, the certificate is handled correctly. I am also sure that the user name "thorsten" and the password are typed correctly - at least once in a million times should have hit by accident  8)

Next idea: The AP is quite new and it worked perfectly on port 1812 with Zentyal 2.2 for about 12 month - I never had any issues on that. The problem is the same for any other Radius client I used before.

please find /var/log/freeradius/radius.log :

The IP 172.17.0.4. is correct (the AP) and the Mac Address matches my IPad, so I am sure, the connection is correct, too.

However, I do not know what port 0 means - I did not change and port settings, neither on the firewall (service Radius: any LAN to 1812 UDP) nor the radius client settings on the AP (Port 1812).

Best regards
Thorsten

Code: [Select]
Wed Jan  2 21:18:01 2013 : Info: Exiting normally.
Wed Jan  2 21:21:24 2013 : Info: Loaded virtual server inner-tunnel
Wed Jan  2 21:21:24 2013 : Info: Loaded virtual server <default>
Wed Jan  2 21:21:24 2013 : Info: Ready to process requests.
Thu Jan  3 22:52:20 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:52:20 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:52:41 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:52:41 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:52:48 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:52:48 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:53:01 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:53:01 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:53:09 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:53:09 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:53:39 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:53:39 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:56:03 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:56:03 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)
Thu Jan  3 22:56:10 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 via TLS tunnel)
Thu Jan  3 22:56:10 2013 : Auth: Login incorrect: [thorsten] (from client 172.17.0.4/32 port 0 cli B8-F6-B1-EB-17-1B)





half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #4 on: January 04, 2013, 04:46:18 am »
I am seeing similar things.  On another linux machine install radtest (included in freeradius-utils).  Add that machines IP address to the list of radius clients and add a shared secret.   Radtest has a command line like this:

radtest username password radius_server_ip 0  shared_secret

I bet it will authenticate. 
« Last Edit: January 04, 2013, 05:14:48 am by half_life »

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #5 on: January 04, 2013, 04:59:45 am »
Here is what mine looks like with password logging turned on.  First group is from the AP and second group is radtest on my workstation.  There is definitely a problem in how this is getting parsed.


Code: [Select]
Thu Jan  3 22:54:56 2013 : Auth: Login incorrect: [dhoff/<via Auth-Type = EAP>] (from client 192.168.0.6/32 port 45 cli d857ef8e3e5d)
Thu Jan  3 22:55:02 2013 : Auth: Login incorrect: [dhoff/<via Auth-Type = EAP>] (from client 192.168.0.6/32 port 45 cli d857ef8e3e5d)
Thu Jan  3 22:55:28 2013 : Auth: Login OK: [dhoff/my_password] (from client 192.168.0.219/32 port 0)
Thu Jan  3 22:55:37 2013 : Auth: Login OK: [dhoff/my_password] (from client 192.168.0.219/32 port 0)
Thu Jan  3 22:55:39 2013 : Auth: Login OK: [dhoff/my_password] (from client 192.168.0.219/32 port 0)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #6 on: January 04, 2013, 05:40:04 am »
I have opened ticket #5946 on this.  In the meantime I will keep digging.

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: Radius - Where is my error
« Reply #7 on: January 04, 2013, 09:15:18 am »
The client (in this case the iPad), needs to be configure to negotiate using EAP TTLS CHAP.

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #8 on: January 04, 2013, 09:18:40 am »
How can I set this up on the I-Pad - I thougt this will be done automatically as before with Zentyal 2.2.

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #9 on: January 04, 2013, 09:21:12 am »
Can you countercheck my other posting below - there is also an auth-error: http://forum.zentyal.org/index.php/topic,13598.0.html

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #10 on: January 04, 2013, 07:14:54 pm »
I am having the same problem as thorsten.  What is really weird is everything appears to be setup the same as on the 2.2 system.  Looking into the radius.conf doesn't yield any differences either.  I must confess a lack of experience troubleshooting radius problems.  Anyone have an idea here?

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #11 on: January 06, 2013, 06:59:20 am »
Digging into this a little further,  when using radtest and not specifying an authentication method it works fine.  When specifying ms-chap as would come from my AP it fails.  I have verified that it is not related to certificates by substituting a known good (from zentyal 2.2) set it still behaves the same.  Re pointing the proxy.conf file to the ldap server on the 2.2 system results in good authentications even with ms-chap. 

<EDIT>  I stand corrected here.  I neglected to use the right server when performing this test.  It doesn't work as I said </EDIT>

My reading on the internet tells me that not all password hashes are created equal when dealing with EAP.  Certain hash types can't be used with all authentication types see here http://deployingradius.com/documents/protocols/compatibility.html.  I have narrowed this down to the authentication segment and it seems to be specific to the way the password is stored.  I would like to have a developer or someone more knowledgeable than me prove or disprove it. 


Anyone?
« Last Edit: January 06, 2013, 07:51:42 am by half_life »

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #12 on: January 06, 2013, 08:40:02 pm »
Update-

I changed all of the config files of freeradius on Zentyal 3 to point to the ldap server on my previous Zentyal 2.2 install.  Now I can authenticate through the AP as expected.  So in summary:

It has nothing to do with certificates (swapped from working system with no effect)
Using another ldap server makes the problem go away.
Using PAP authentication works with the Zentyal 3 ldap server.

The fact pattern brings me back to the password storage and how it is hashed as the likely suspect.  The last test I can perform to confirm my beliefs is to :

create a test user.
change the password hash in ldap for that user to a type that is compatible with ms-chap and try it.

Thoughts?

BTW sorry for flailing around last night.  At least I found my errors in testing and was able to correct my testing methods.  I am sure of my results to this point.


christian

  • Guest
Re: Radius - Where is my error
« Reply #13 on: January 06, 2013, 08:44:01 pm »
Can't you see any clear error message or code in syslog if you increase LDAP log level.
Well, I don't know whether you have to increase log level for "std" or "Samba" LDAP, you may have to try both  ???

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #14 on: January 06, 2013, 09:13:23 pm »
I have stopped the radius server and restarted in debug mode  (freeradius -X) .  I am watching the process stream directly during testing.  Another thought occured to me,  looking in /etc/freeradius/modules under zentyal 3  the server= line uses a variable substitution.  I am wondering if the variable is pointing to port 389 when it should be pointing to 390.  I am learning as I go on this.