Author Topic: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0, 5.1  (Read 38610 times)

computercody94

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #75 on: August 29, 2017, 01:51:16 am »
I tried that & I get the same error. On Windows it says 'Can't connect to this network".  On my Android it says 'Authentication Problem'.

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #76 on: October 01, 2017, 11:39:34 am »
Hi Julio,

After having successfully installed a new 5.0 system with the radius module (as per your new instruction), I'm still struggling to get it up and running.
Wifi clients are rejected.
Please see log:
Code: [Select]
rad_recv: Access-Request packet from host 192.168.1.2 port 3072, id=0, length=165
Sat Sep 23 17:09:53 2017 : Info: Cleaning up request 8 ID 0 with timestamp +20
        User-Name = "user"
        NAS-IP-Address = 192.168.1.2
        Called-Station-Id = "0016e37246ff"
        Calling-Station-Id = "90fd6153bfc4"
        NAS-Identifier = "0016e37246ff"
        NAS-Port = 40
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0208002e190017030300230bf5df21adc20eeb36f8c66f036cd7e3b97e8f593fa2b13b9763b32e9db63655c5f04b
        Message-Authenticator = 0x69f2de24306d9ee3142149f1f95e5448
Sat Sep 23 17:09:53 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authorize {
Sat Sep 23 17:09:53 2017 : Info: ++[preprocess] = ok
Sat Sep 23 17:09:53 2017 : Info: ++[chap] = noop
Sat Sep 23 17:09:53 2017 : Info: ++[mschap] = noop
Sat Sep 23 17:09:53 2017 : Info: [eap] EAP packet type response id 8 length 46
Sat Sep 23 17:09:53 2017 : Info: [eap] Continuing tunnel setup.
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = ok
Sat Sep 23 17:09:53 2017 : Info: +} # group authorize = ok
Sat Sep 23 17:09:53 2017 : Info: Found Auth-Type = EAP
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authenticate {
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.
Sat Sep 23 17:09:53 2017 : Auth: Login incorrect: [user] (from client 192.168.1.2/32 port 40 cli 90fd6153bfc4)
Sat Sep 23 17:09:53 2017 : Info: Using Post-Auth-Type Reject
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group REJECT {
Sat Sep 23 17:09:53 2017 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> user
Sat Sep 23 17:09:53 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11
Sat Sep 23 17:09:53 2017 : Info: ++[attr_filter.access_reject] = updated
Sat Sep 23 17:09:53 2017 : Info: +} # group REJECT = updated
Sat Sep 23 17:09:53 2017 : Info: Delaying reject of request 9 for 1 seconds
Sat Sep 23 17:09:53 2017 : Debug: Going to the next request
Sat Sep 23 17:09:53 2017 : Debug: Waking up in 0.9 seconds.
Sat Sep 23 17:09:54 2017 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 0 to 192.168.1.2 port 3072
Sat Sep 23 17:09:54 2017 : Debug: Waking up in 4.9 seconds.

I have reset the passwords (which did the trick last time https://forum.zentyal.org/index.php/topic,25541.msg103865.html#msg103865), but luck.

Tried different settings in the Radius module, all users, domains users, etc., nothing worked.
I saw these lines in the log:
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.

Anything to do with it?

Zentyal 6.1

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #77 on: October 01, 2017, 12:59:34 pm »
Hi Julio,

After having successfully installed a new 5.0 system with the radius module (as per your new instruction), I'm still struggling to get it up and running.
Wifi clients are rejected.
Please see log:
Code: [Select]
rad_recv: Access-Request packet from host 192.168.1.2 port 3072, id=0, length=165
Sat Sep 23 17:09:53 2017 : Info: Cleaning up request 8 ID 0 with timestamp +20
        User-Name = "user"
        NAS-IP-Address = 192.168.1.2
        Called-Station-Id = "0016e37246ff"
        Calling-Station-Id = "90fd6153bfc4"
        NAS-Identifier = "0016e37246ff"
        NAS-Port = 40
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0208002e190017030300230bf5df21adc20eeb36f8c66f036cd7e3b97e8f593fa2b13b9763b32e9db63655c5f04b
        Message-Authenticator = 0x69f2de24306d9ee3142149f1f95e5448
Sat Sep 23 17:09:53 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authorize {
Sat Sep 23 17:09:53 2017 : Info: ++[preprocess] = ok
Sat Sep 23 17:09:53 2017 : Info: ++[chap] = noop
Sat Sep 23 17:09:53 2017 : Info: ++[mschap] = noop
Sat Sep 23 17:09:53 2017 : Info: [eap] EAP packet type response id 8 length 46
Sat Sep 23 17:09:53 2017 : Info: [eap] Continuing tunnel setup.
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = ok
Sat Sep 23 17:09:53 2017 : Info: +} # group authorize = ok
Sat Sep 23 17:09:53 2017 : Info: Found Auth-Type = EAP
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authenticate {
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.
Sat Sep 23 17:09:53 2017 : Auth: Login incorrect: [user] (from client 192.168.1.2/32 port 40 cli 90fd6153bfc4)
Sat Sep 23 17:09:53 2017 : Info: Using Post-Auth-Type Reject
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group REJECT {
Sat Sep 23 17:09:53 2017 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> user
Sat Sep 23 17:09:53 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11
Sat Sep 23 17:09:53 2017 : Info: ++[attr_filter.access_reject] = updated
Sat Sep 23 17:09:53 2017 : Info: +} # group REJECT = updated
Sat Sep 23 17:09:53 2017 : Info: Delaying reject of request 9 for 1 seconds
Sat Sep 23 17:09:53 2017 : Debug: Going to the next request
Sat Sep 23 17:09:53 2017 : Debug: Waking up in 0.9 seconds.
Sat Sep 23 17:09:54 2017 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 0 to 192.168.1.2 port 3072
Sat Sep 23 17:09:54 2017 : Debug: Waking up in 4.9 seconds.

I have reset the passwords (which did the trick last time https://forum.zentyal.org/index.php/topic,25541.msg103865.html#msg103865), but luck.

Tried different settings in the Radius module, all users, domains users, etc., nothing worked.
I saw these lines in the log:
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.

Anything to do with it?

please try with this (suggestions from realflow):
Code: [Select]
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart

segelfreak

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +9/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #78 on: October 06, 2017, 05:18:57 pm »
please try with this (suggestions from realflow):
Code: [Select]
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart

Works!!!

Great Job, Thanks!
Zentyal 6.1

Uloga

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #79 on: October 24, 2017, 06:25:43 pm »
I try to use the RADIUS server to authenticate with Mikrotik devices to Login.
I have added the devices to the Radius clients, and added a usergroup "radusers" as told in another guide.

Although, now I get the message on the radius server: "Login incorrect"   
I have checked the passwords multiple times and still I'm getting this error.

Does anybody have a clue where to look?

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #80 on: October 25, 2017, 01:01:03 pm »
I try to use the RADIUS server to authenticate with Mikrotik devices to Login.
I have added the devices to the Radius clients, and added a usergroup "radusers" as told in another guide.

Although, now I get the message on the radius server: "Login incorrect"   
I have checked the passwords multiple times and still I'm getting this error.

Does anybody have a clue where to look?

please post the freeradius verbose logging output during the connection:
Code: [Select]
sudo zs radius stop
sudo freeradius -XXX

Uloga

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #81 on: October 26, 2017, 02:26:57 pm »
I try to use the RADIUS server to authenticate with Mikrotik devices to Login.
I have added the devices to the Radius clients, and added a usergroup "radusers" as told in another guide.

Although, now I get the message on the radius server: "Login incorrect"   
I have checked the passwords multiple times and still I'm getting this error.

Does anybody have a clue where to look?

please post the freeradius verbose logging output during the connection:
Code: [Select]
sudo zs radius stop
sudo freeradius -XXX

Please see in attachment the full log
« Last Edit: October 30, 2017, 11:43:59 am by Uloga »

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #82 on: October 26, 2017, 03:23:02 pm »
please try one more time with this:
Code: [Select]
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX

Uloga

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #83 on: October 27, 2017, 09:28:08 am »
please try one more time with this:
Code: [Select]
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
There you go :-)
« Last Edit: October 30, 2017, 11:43:54 am by Uloga »

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #84 on: October 27, 2017, 10:09:17 am »
please try one more time with this:
Code: [Select]
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
There you go :-)

sorry but there is no client connection info,
please run the commands and try connecting with your client (Mikrotik device).

Uloga

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #85 on: October 27, 2017, 04:21:19 pm »
please try one more time with this:
Code: [Select]
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
There you go :-)

sorry but there is no client connection info,
please run the commands and try connecting with your client (Mikrotik device).

Oh ok, now there's client info included, tried 2 times

If it can be any help, this is what I found:

Quote
HI
I had the same problem before, my problem solved by moving some lines in /usr/local/etc/raddb/sites-enabled/default
i'm using SQL so i load SQL module and pap,chap

I've changed the lines from

chap
sql
pap

to:

sql
pap
chap

so freeradius first loads the sql and then loads the chap, so it could locate password in SQL.
But I cant find that file...
« Last Edit: October 30, 2017, 11:43:48 am by Uloga »

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #86 on: October 28, 2017, 10:37:14 pm »
please create new client under Radius - General configuration:
IP Address: 127.0.0.1/32
Shared Secret: your supersecret password

test the connection on the server with (modify the username and passwords):
Code: [Select]
radtest -t mschap your_raduser raduser_password 127.0.0.1:1812 0 shared_secret_password

Uloga

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #87 on: October 29, 2017, 02:07:29 pm »
please create new client under Radius - General configuration:
IP Address: 127.0.0.1/32
Shared Secret: your supersecret password

test the connection on the server with (modify the username and passwords):
Code: [Select]
radtest -t mschap your_raduser raduser_password 127.0.0.1:1812 0 shared_secret_password
Login OK from local

But still not ok from Mikrotik device
« Last Edit: October 29, 2017, 02:12:54 pm by Uloga »

julio

  • Guest
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #88 on: October 29, 2017, 09:48:59 pm »
bad news:
Mikrotik using for login, CHAP auth. with clear text password,
this combination of auth. under zentyal LDAP not supported (PEAP-MSCHAPv2+MD5).

« Last Edit: October 29, 2017, 09:52:36 pm by julio »

Uloga

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: HowTo: add radius module with mschap support to zentyal 4.0, 4.2, 5.0
« Reply #89 on: October 30, 2017, 11:44:42 am »
bad news:
Mikrotik using for login, CHAP auth. with clear text password,
this combination of auth. under zentyal LDAP not supported (PEAP-MSCHAPv2+MD5).

And is there a possibility to disable LDAP so this will work?