Author Topic: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0, 5.1  (Read 38557 times)

Dersch

  • Zen Monk
  • **
  • Posts: 87
  • Karma: +1/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #30 on: June 09, 2016, 08:35:41 am »
Hi Julio,

no unfortunately not.

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #31 on: June 09, 2016, 12:09:13 pm »
please check the Samba - LDAP service...
ex.: ldapsearch
« Last Edit: June 09, 2016, 01:32:03 pm by julio »

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #32 on: June 11, 2016, 04:27:36 pm »
Dear Julio,

Hope you can also help with this little issue. Now that I've got the radius module working, I noticed that - depending on the AP - MAC address information will be shown or not in the log file presentation (via zentyal log viewer).

I have an older Siemens AP here, which result in the following log entry:

Code: [Select]
Sat Jun 11 15:37:44 2016 : Auth: Login OK: [username] (from client xxx.xxx.x.xxx/32 port 5 cli 2002af9a30af)
Means, the MAC address is 20:02:AF:9A:30:AF, but it's not shown, the mac column remains empty.
My guess is that the parser is not able to convert and/or identify the mac entry in the log file.

Is there any hack possible to fix this?

Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #33 on: June 11, 2016, 10:27:57 pm »
Dear Julio,

Hope you can also help with this little issue. Now that I've got the radius module working, I noticed that - depending on the AP - MAC address information will be shown or not in the log file presentation (via zentyal log viewer).

I have an older Siemens AP here, which result in the following log entry:

Code: [Select]
Sat Jun 11 15:37:44 2016 : Auth: Login OK: [username] (from client xxx.xxx.x.xxx/32 port 5 cli 2002af9a30af)
Means, the MAC address is 20:02:AF:9A:30:AF, but it's not shown, the mac column remains empty.
My guess is that the parser is not able to convert and/or identify the mac entry in the log file.

Is there any hack possible to fix this?

modified, please check...
https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #34 on: June 12, 2016, 11:01:48 am »

modified, please check...
https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226

Thanks' Julio,

Installed it and now have to test. Since it is a remote site, it will take a few days before I'll see the effect. I assume the change will only take effect on new log entries, right?

In any case, I'm very thankful for your prompt help! Really great!!!

p.s. maybe a little remark: I think there's a little mistake in the instruction.
Code: [Select]
wget wget http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz -O zentyal-radius_3.5.1.tar.gzdouble wget...
« Last Edit: June 12, 2016, 11:03:19 am by segelfreak »
Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #35 on: June 12, 2016, 12:54:57 pm »

modified, please check...
https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226

Thanks' Julio,

Installed it and now have to test. Since it is a remote site, it will take a few days before I'll see the effect. I assume the change will only take effect on new log entries, right?

In any case, I'm very thankful for your prompt help! Really great!!!

p.s. maybe a little remark: I think there's a little mistake in the instruction.
Code: [Select]
wget wget http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz -O zentyal-radius_3.5.1.tar.gzdouble wget...

thank you your suggestion about "wget wget" mistake!
i've changed the mac format to uppercase format,
please install one more time and you can test it force with following command:
Code: [Select]
LC_TIME_ORIG=$LC_TIME && LC_TIME=en_US.UTF-8 && echo "$(date '+%a %b %e %H:%M:%S %Y') : Auth: Login OK: [testuser] (from client 127.0.0.1/32 port 5 cli 2002af9a30af)" | sudo tee -a /var/log/freeradius/radius.log && LC_TIME=$LC_TIME_ORIG
« Last Edit: June 12, 2016, 01:03:11 pm by julio »

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #36 on: June 12, 2016, 02:48:13 pm »

thank you your suggestion about "wget wget" mistake!
i've changed the mac format to uppercase format,
please install one more time and you can test it force with following command:
Code: [Select]
LC_TIME_ORIG=$LC_TIME && LC_TIME=en_US.UTF-8 && echo "$(date '+%a %b %e %H:%M:%S %Y') : Auth: Login OK: [testuser] (from client 127.0.0.1/32 port 5 cli 2002af9a30af)" | sudo tee -a /var/log/freeradius/radius.log && LC_TIME=$LC_TIME_ORIG

tried the echo but it seems my locale for date is set to De, so Week day is prompted as "So" and not "Sun". At the end, the echoed log entry is not shown in zentyal log module... :-)

p.s. modified the echo command and set the date/time manually. However, it seems to not appear inside the zentyal log display? update: got it! works!
« Last Edit: June 12, 2016, 03:46:24 pm by segelfreak »
Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #37 on: June 12, 2016, 03:56:42 pm »
"tried the echo but it seems my locale for date is set to De, so Week day is prompted as "So" and not "Sun"."

me too DE.. thats why: LC_TIME_ORIG=$LC_TIME && LC_TIME=en_US.UTF-8

"en_US.UTF-8" locale installed?
Code: [Select]
locale -a
me works (see screenshot attached)

try restart the logs and the radius service before echo...
Code: [Select]
sudo service zentyal logs restart
sudo service zentyal radius restart

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #38 on: June 12, 2016, 04:28:57 pm »
locale is installed. restarted modules but still it will generate "So" instead of "Sun"  :o
Anyway, I'm confident it will work well now  ::) Thanks again!!!

update: just notice

Code: [Select]
locale -a
C
C.UTF-8
de_DE.utf8
en_US.utf8
POSIX

so, probably I need to modify the locale setting accordingly?
« Last Edit: June 12, 2016, 04:32:54 pm by segelfreak »
Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #39 on: June 12, 2016, 05:42:18 pm »
locale is installed. restarted modules but still it will generate "So" instead of "Sun"  :o
Anyway, I'm confident it will work well now  ::) Thanks again!!!

update: just notice

Code: [Select]
locale -a
C
C.UTF-8
de_DE.utf8
en_US.utf8
POSIX

so, probably I need to modify the locale setting accordingly?
no, you don't need...

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #40 on: October 03, 2016, 08:42:23 pm »
Julio,

Hope to get one more hint from you ;-)

Worked all fine for the time being, but for some reason I had to re-install (not only, but also) the radius package and now I seem to be getting no access to the LDAP. (Radius only rejects)

In the freeradius log, I can only find two lines, i.e.

Code: [Select]
Mon Oct  3 20:29:46 2016 : Error:   [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
Mon Oct  3 20:29:46 2016 : Error:   [ldap] (re)connection attempt failed

I checked the ldap module at freeradius and the credentials are filled in. I also checked the user in the tree, removed it, reconfigured so the user was back in.  Still no good.
I tried a full purge on freeradius, zentyal-radius and the related packages, and reinstalled from the scratch. Nothing helped.

Anything else where I could look into?


« Last Edit: October 03, 2016, 09:06:13 pm by segelfreak »
Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #41 on: October 03, 2016, 09:14:19 pm »
for more details start freeradius manually:
Code: [Select]
sudo service zentyal radius stop
sudo freeradius -XXX

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #42 on: October 03, 2016, 09:28:06 pm »
Here it goes, Julio.
Only masked the secrets "###secret###
It wouldn't let me post the whole text (20000 chars limit), so here's a link to the file:

https://dl.dropboxusercontent.com/u/1666516/freeradius%20debug.txt

update: this is only the debug output before the actual auth trial
« Last Edit: October 03, 2016, 09:31:02 pm by segelfreak »
Zentyal 6.1

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #43 on: October 03, 2016, 09:31:32 pm »
So,here comes the output from an actual try via radtest:

Code: [Select]
Mon Oct  3 21:16:24 2016 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 39583, id=246, length=80
User-Name = "###username###"
User-Password = "###password###"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0xae07c03a0fa5825814f6e4066277a23b
Mon Oct  3 21:29:05 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Oct  3 21:29:05 2016 : Info: +- entering group authorize {...}
Mon Oct  3 21:29:05 2016 : Info: ++[preprocess] returns ok
Mon Oct  3 21:29:05 2016 : Info: ++[chap] returns noop
Mon Oct  3 21:29:05 2016 : Info: ++[mschap] returns noop
Mon Oct  3 21:29:05 2016 : Info: [eap] No EAP-Message, not doing EAP
Mon Oct  3 21:29:05 2016 : Info: ++[eap] returns noop
Mon Oct  3 21:29:05 2016 : Info: [files] users: Matched entry DEFAULT at line 1
Mon Oct  3 21:29:05 2016 : Info: ++[files] returns ok
Mon Oct  3 21:29:05 2016 : Info: [ldap] performing user authorization for ###username###
Mon Oct  3 21:29:05 2016 : Info: [ldap] expand: %{Stripped-User-Name} ->
Mon Oct  3 21:29:05 2016 : Info: [ldap] ... expanding second conditional
Mon Oct  3 21:29:05 2016 : Info: [ldap] expand: %{User-Name} -> ###username###
Mon Oct  3 21:29:05 2016 : Info: [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=###username###)
Mon Oct  3 21:29:05 2016 : Info: [ldap] expand: DC=fritz,DC=box -> DC=fritz,DC=box
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] attempting LDAP reconnection
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] (re)connect to ldap://127.0.0.1, authentication 0
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] bind as CN=zentyal-radius-zentyal,CN=Users,DC=fritz,DC=box/###password### to ldap://127.0.0.1
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] waiting for bind result ...
Mon Oct  3 21:29:05 2016 : Error:   [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
Mon Oct  3 21:29:05 2016 : Error:   [ldap] (re)connection attempt failed
Mon Oct  3 21:29:05 2016 : Info: [ldap] search failed
Mon Oct  3 21:29:05 2016 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Mon Oct  3 21:29:05 2016 : Info: ++[ldap] returns fail
Mon Oct  3 21:29:05 2016 : Auth: Invalid user: [###username###] (from client 127.0.0.1/32 port 1812)
Mon Oct  3 21:29:05 2016 : Info: Using Post-Auth-Type Reject
Mon Oct  3 21:29:05 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Oct  3 21:29:05 2016 : Info: +- entering group REJECT {...}
Mon Oct  3 21:29:05 2016 : Info: [attr_filter.access_reject] expand: %{User-Name} -> ###username###
Mon Oct  3 21:29:05 2016 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Oct  3 21:29:05 2016 : Info: ++[attr_filter.access_reject] returns updated
Mon Oct  3 21:29:05 2016 : Info: Delaying reject of request 0 for 1 seconds
Mon Oct  3 21:29:05 2016 : Debug: Going to the next request
Mon Oct  3 21:29:05 2016 : Debug: Waking up in 0.9 seconds.
Mon Oct  3 21:29:06 2016 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 246 to 127.0.0.1 port 39583
Mon Oct  3 21:29:06 2016 : Debug: Waking up in 4.9 seconds.
Mon Oct  3 21:29:11 2016 : Info: Cleaning up request 0 ID 246 with timestamp +761
Mon Oct  3 21:29:11 2016 : Info: Ready to process requests.

User Info is also accessible:

Code: [Select]
User info (Level-0):
====================
Name:              zentyal-radius-zentyal
SID:               S-1-5-21-1293354772-482189516-68840057-1231
Uid:               910689487
Gid:               910688769
Gecos:             <null>
Shell:             /bin/sh
Home dir:          /home/local/FRITZ/zentyal-radius-zentyal
Logon restriction: NO
« Last Edit: October 03, 2016, 09:45:29 pm by segelfreak »
Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.1, 4.2
« Reply #44 on: October 04, 2016, 04:24:12 pm »
please post the results of:
Code: [Select]
ls -la /var/lib/zentyal/conf/