Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

Nick Owen
Administrator
See http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests?searchterm=radius+debug

Make sure your user is enabled and that you restarted WiKID after
adding the network client.


On Tue, Mar 18, 2014 at 11:22 PM, wangdexing [via WiKID Strong
Authentication Forums] <[hidden email]>
wrote:

> hi,
>     I want to secure VNC remote access ,I refer to the article from
> http://www.howtoforge.com/secure_vnc_remote_access_with_two_factor_authentication
> ,but I have some problems dealing with it,here are some messages about it:
>
> wdx@wdx-IdeaPad-Z465:~$ ssh user@10.12.52.32 -vvv
> ..........................
> debug1: Roaming not allowed by server
> .......................
> Permission denied, please try again.
>
> tail -f /var/log/auth.log
> Mar 19 00:05:27 wdx-IdeaPad-Z465 sshd[8063]: Invalid user user from
> 10.12.52.32
> Mar 19 00:05:27 wdx-IdeaPad-Z465 sshd[8063]: input_userauth_request: invalid
> user user [preauth]
> Mar 19 00:05:37 wdx-IdeaPad-Z465 sshd[8063]: pam_unix(sshd:auth): check
> pass; user unknown
> Mar 19 00:05:37 wdx-IdeaPad-Z465 sshd[8063]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.12.52.32
> Mar 19 00:05:39 wdx-IdeaPad-Z465 sshd[8063]: Failed password for invalid
> user user from 10.12.52.32 port 59135 ssh2
>
> WiKIDAdmin/Log.jsp
> 2014-03-18 23:58:07.720 DEBUG com.wikidsystems.server.WikidCode5AES Passcode
> request processing successfully completed.
>  device-9068788103614007001
> 2014-03-18 23:58:40.732 INFO com.wikidsystems.radius.access.WikidAccess4
> Access denied for user, domain code: 010012052032 client: /127.0.0.1
> 2014-03-18 23:58:40.735 INFO com.wikidsystems.radius.log.DBSvrLogImpl <252>
> Access-Request(1) LEN=87 127.0.0.1:9008 Access-Request by user Failed:
> AccessRejectException: Access Denied
>
>
> I have done lots of things solving it,but no effect.I am a student and all
> those things I did in one computer,I use ubuntu 12.04(64).
> I am a beginner,so I don't know Whether I should bring more message for you
> to solve it ,tell me and I will show you soon.
> Any help would be appreciated .
>
> thanks,
> Wang Dexing
>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://wikid-strong-authentication-forums.1491522.n2.nabble.com/ssh-radius-Access-Request-by-user-Failed-AccessRejectException-Access-Denied-tp7575022.html
> To start a new topic under WiKID Strong Authentication Forums, email
> [hidden email]
> To unsubscribe from WiKID Strong Authentication Forums, click here.
> NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

wangdexing
thanks for your answer,I have done as your answer,and there are some errors in WiKIDAdmin/logs:

2014-03-19 14:46:00.793 ERROR com.wikidsystems.client.wClient ERROR: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2014-03-19 14:46:00.776 ERROR com.wikidsystems.server.wAuth Couldn't validate the client certificate. Verify the validity and dates of the client cert.
2014-03-19 15:14:55.428 INFO com.wikidsystems.radius.log.DBSvrLogImpl Exception in thread: DATAGRAM LEN = 87 FROM 127.0.0.1:6480 java.lang.NullPointerException at com.wikidsystems.radius.nas.UnknownNAS.unknownNAS(UnknownNAS.java:32) at com.theorem.radserver3.RADIUSSession.v(DashoA10*..) at com.theorem.radserver3.RADIUSSession.e(DashoA10*..) at com.theorem.radserver3.RADIUSSession.d(DashoA10*..) at com.theorem.radserver3.RADIUSSession.run(DashoA10*..) at java.lang.Thread.run(Thread.java:701)

I don't know what those mean,maybe they are the problem.
I try 'tcpdump -v port radius'  on my terminal but no  request comes.
Of course I restart the service after create or edit a network client every time and user's status is 1.
I will continue to try to resolve it and any help would be appreciated.

thanks,
Wang Dexing
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

Nick Owen
Administrator
Did you create an intermediate and localhost certificate?  And you are
using the Enterprise version of WiKID?  The open source community
version does not support Radius.

If the packets are not getting to WiKID, then you need to figure that part out.

You can see our  tutorial on two-factor auth for pam-radius here:
http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to
or here: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu
for ubuntu


On Wed, Mar 19, 2014 at 9:09 PM, wangdexing [via WiKID Strong
Authentication Forums] <[hidden email]>
wrote:

> thanks for your answer,I have done as your answer,and there are some errors
> in WiKIDAdmin/logs:
>
> 2014-03-19 14:46:00.793 ERROR com.wikidsystems.client.wClient ERROR:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> 2014-03-19 14:46:00.776 ERROR com.wikidsystems.server.wAuth Couldn't
> validate the client certificate. Verify the validity and dates of the client
> cert.
> 2014-03-19 15:14:55.428 INFO com.wikidsystems.radius.log.DBSvrLogImpl
> Exception in thread: DATAGRAM LEN = 87 FROM 127.0.0.1:6480
> java.lang.NullPointerException at
> com.wikidsystems.radius.nas.UnknownNAS.unknownNAS(UnknownNAS.java:32) at
> com.theorem.radserver3.RADIUSSession.v(DashoA10*..) at
> com.theorem.radserver3.RADIUSSession.e(DashoA10*..) at
> com.theorem.radserver3.RADIUSSession.d(DashoA10*..) at
> com.theorem.radserver3.RADIUSSession.run(DashoA10*..) at
> java.lang.Thread.run(Thread.java:701)
>
> I don't know what those mean,maybe they are the problem.
> I try 'tcpdump -v port radius'  on my terminal but no  request comes.
> Of course I restart the service after create or edit a network client every
> time and user's status is 1.
> I will continue to try to resolve it and any help would be appreciated.
>
> thanks,
> Wang Dexing
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Re-ssh-radius-Access-Request-by-user-Failed-AccessRejectException-Access-Denied-tp7575024p7575033.html
> To start a new topic under WiKID Strong Authentication Forums, email
> [hidden email]
> To unsubscribe from WiKID Strong Authentication Forums, click here.
> NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

wangdexing
yes,I have created an intermediate and localhost certificate.
I'm using the Enterprise version of WiKID.
I configured Pam-radius in the same way according to the website of WIKID.
Judging from errors in WiKIDAdmin/Logs,I am just wondering how WIKID server can validate the client certificate,
since it only has the IP of network client,but does not know the port .
Or maybe I have something wrong understanding it。
I will check everything again and thanks very much for helping me.
..Wait,I find something in /var/log/auth.log:

Mar 21 00:52:13 wdx-IdeaPad-Z465 sshd[7706]: Server listening on 10.12.52.32 port 22.
Mar 21 00:52:35 wdx-IdeaPad-Z465 gnome-keyring-daemon[1391]: unsupported key algorithm in certificate: 1.2.840.10045.2.1
Mar 21 00:52:35  gnome-keyring-daemon[1391]: last message repeated 9 times

What do they mean? I think there must be something wrong with the certificate,I will ask google for help.
Any help would be appreciated .


thanks,
Wang Dexing

Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

Nick Owen
Administrator

Radius uses the shared secret from the Network Client settings, not the certificate. I just wanted to make sure the server was set up.

I don't know what the logs mean. 

You can run that tcpdump command on the client box to see if the requests   leaving it too.

On Mar 20, 2014 8:59 PM, "wangdexing [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
yes,I have created an intermediate and localhost certificate.
I'm using the Enterprise version of WiKID.
I configured Pam-radius in the same way according to the website of WIKID.
Judging from errors in WiKIDAdmin/Logs,I am just wondering how WIKID server can validate the client certificate,
since it only has the IP of network client,but does not know the port .
Or maybe I have something wrong understanding it。
I will check everything again and thanks very much for helping me.
..Wait,I find something in /var/log/auth.log:

Mar 21 00:52:13 wdx-IdeaPad-Z465 sshd[7706]: Server listening on 10.12.52.32 port 22.
Mar 21 00:52:35 wdx-IdeaPad-Z465 gnome-keyring-daemon[1391]: unsupported key algorithm in certificate: 1.2.840.10045.2.1
Mar 21 00:52:35  gnome-keyring-daemon[1391]: last message repeated 9 times

What do they mean? I think there must be something wrong with the certificate,I will ask google for help.
Any help would be appreciated .


thanks,
Wang Dexing




To start a new topic under WiKID Strong Authentication Forums, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

wangdexing
I found some messages on google,from http://askubuntu.com/questions/174633/gnome-keyring-daemon16231-unsupported-key-algorithm-in-certificate-1-2-840-1
I did so,i.e:
env | grep SSH_AUTH_SOCK
unset SSH_AUTH_SOCK

then,I restarted everything and tried again.Still failed.
But I found something in WiKIDAdmin/Log:(please read them down to up)

2014-03-21 01:32:17.416 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Reject(3) LEN=85 10.12.52.32:10454 PACKET SUCCESSFULLY SENT
2014-03-21 01:32:17.415 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl --------------------------------------------------------------- '> <91> -------------------------- Packet About to be Sent ------------------------ <91> Address: 10.12.52.32:10454 Packet Length: 20 Type: Access-Reject(3) 000: 03 5B 00 14 CD 03 97 A3 - 8E 85 5F 03 44 B0 C3 4F .[...... - .._.D..O 010: F1 27 F8 87 - .'.. Attributes: <91> ---------------------------------------------------------------
2014-03-21 01:32:17.414 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Reject(3) LEN=85 10.12.52.32:10454 SENDING PACKET
2014-03-21 01:32:17.414 INFO com.wikidsystems.radius.log.DBSvrLogImpl <91> Access-Request(1) LEN=85 10.12.52.32:10454 Access-Request by ko Failed: AccessRejectException: Access Denied
2014-03-21 01:32:17.413 INFO com.wikidsystems.radius.access.WikidAccess4 Access denied for ko, domain code: 010012052032 client: /10.12.52.32
2014-03-21 01:32:17.413 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Request(1) LEN=85 10.12.52.32:10454 Access-Request by ko Failed: AccessRejectException: Access Denied
2014-03-21 01:32:17.410 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> -------------------------- Packet Arrived ------------------------ <91> Address: 10.12.52.32:10454 Packet Length: 85 Type: Access-Request(1) 000: 01 5B 00 55 44 9B AA 00 - DB F1 26 C2 CC 68 99 B0 .[.UD... - ..&..h.. 010: 47 F8 79 45 01 04 6B 6F - 02 12 E1 94 36 7D 89 87 G.yE..ko - ....6}.. 020: 7B 43 C1 25 16 C8 38 15 - 47 A4 04 06 7F 00 01 01 {C.%..8. - G....... 030: 20 06 73 73 68 64 05 06 - 00 00 24 D5 3D 06 00 00 .sshd.. - ..$.=... 040: 00 05 06 06 00 00 00 08 - 1F 0D 31 30 2E 31 32 2E ........ - ..10.12. 050: 35 32 2E 33 32 - 52.32 Attributes: User-Name (1), Length: 4, Data: [ko], 0x6B6F User-Password (2), Length: 18, Data: 0xE194367D89877B43C12516C8381547A4 NAS-IP-Address (4), Length: 6, Data: [IP 127.0.1.1], 0x7F000101 NAS-Identifier (32), Length: 6, Data: [sshd], [# 1936943204] / [IP 115.115.104.100], 0x73736864 NAS-Port (5), Length: 6, Data: [# 9429], 0x000024D5 NAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005 Service-Type (6), Length: 6, Data: [# 8 (Authenticate-Only)], 0x00000008 Calling-Station-Id (31), Length: 13, Data: [10.12.52.32], 0x31302E31322E35322E3332 <91> ---------------------------------------------------------------
2014-03-21 01:32:17.405 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Request(1) LEN=85 10.12.52.32:10454 PACKET ARRIVED

It looks that the server could receive the request,but still rejected it.
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

Nick Owen
Administrator

Is the user still enabled?  It looks like there are more logs that can be set to debug too.

On Mar 20, 2014 9:52 PM, "wangdexing [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
I found some messages on google,from http://askubuntu.com/questions/174633/gnome-keyring-daemon16231-unsupported-key-algorithm-in-certificate-1-2-840-1
I did so,i.e:
env | grep SSH_AUTH_SOCK
unset SSH_AUTH_SOCK

then,I restarted everything and tried again.Still failed.
But I found something in WiKIDAdmin/Log:(please read them down to up)

2014-03-21 01:32:17.416 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Reject(3) LEN=85 10.12.52.32:10454 PACKET SUCCESSFULLY SENT
2014-03-21 01:32:17.415 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl --------------------------------------------------------------- '> <91> -------------------------- Packet About to be Sent ------------------------ <91> Address: 10.12.52.32:10454 Packet Length: 20 Type: Access-Reject(3) 000: 03 5B 00 14 CD 03 97 A3 - 8E 85 5F 03 44 B0 C3 4F .[...... - .._.D..O 010: F1 27 F8 87 - .'.. Attributes: <91> ---------------------------------------------------------------
2014-03-21 01:32:17.414 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Reject(3) LEN=85 10.12.52.32:10454 SENDING PACKET
2014-03-21 01:32:17.414 INFO com.wikidsystems.radius.log.DBSvrLogImpl <91> Access-Request(1) LEN=85 10.12.52.32:10454 Access-Request by ko Failed: AccessRejectException: Access Denied
2014-03-21 01:32:17.413 INFO com.wikidsystems.radius.access.WikidAccess4 Access denied for ko, domain code: 010012052032 client: /10.12.52.32
2014-03-21 01:32:17.413 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Request(1) LEN=85 10.12.52.32:10454 Access-Request by ko Failed: AccessRejectException: Access Denied
2014-03-21 01:32:17.410 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> -------------------------- Packet Arrived ------------------------ <91> Address: 10.12.52.32:10454 Packet Length: 85 Type: Access-Request(1) 000: 01 5B 00 55 44 9B AA 00 - DB F1 26 C2 CC 68 99 B0 .[.UD... - ..&..h.. 010: 47 F8 79 45 01 04 6B 6F - 02 12 E1 94 36 7D 89 87 G.yE..ko - ....6}.. 020: 7B 43 C1 25 16 C8 38 15 - 47 A4 04 06 7F 00 01 01 {C.%..8. - G....... 030: 20 06 73 73 68 64 05 06 - 00 00 24 D5 3D 06 00 00 .sshd.. - ..$.=... 040: 00 05 06 06 00 00 00 08 - 1F 0D 31 30 2E 31 32 2E ........ - ..10.12. 050: 35 32 2E 33 32 - 52.32 Attributes: User-Name (1), Length: 4, Data: [ko], 0x6B6F User-Password (2), Length: 18, Data: 0xE194367D89877B43C12516C8381547A4 NAS-IP-Address (4), Length: 6, Data: [IP 127.0.1.1], 0x7F000101 NAS-Identifier (32), Length: 6, Data: [sshd], [# 1936943204] / [IP 115.115.104.100], 0x73736864 NAS-Port (5), Length: 6, Data: [# 9429], 0x000024D5 NAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005 Service-Type (6), Length: 6, Data: [# 8 (Authenticate-Only)], 0x00000008 Calling-Station-Id (31), Length: 13, Data: [10.12.52.32], 0x31302E31322E35322E3332 <91> ---------------------------------------------------------------
2014-03-21 01:32:17.405 DEBUG com.wikidsystems.radius.log.DBDbgLogImpl <91> Access-Request(1) LEN=85 10.12.52.32:10454 PACKET ARRIVED

It looks that the server could receive the request,but still rejected it.



To start a new topic under WiKID Strong Authentication Forums, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: ssh radius Access-Request by user Failed: AccessRejectException: Access Denied

wangdexing
yes,the user is enable.
I set all logs to debug but no more useful message.
Maybe I should come to understand the format of radius request packets,and
try to find the error.
Thanks for your help.
Any help or suggestion would be appreciated.

thank,
WangDexing