yes I also think there's something wrong in the configuration. I put in attach my authorize/authenticate section configuration. Where do you think I'm getting wrong??
Thank you very much for your help!! emi hi comments inline. > I'm trying to authenticate a client with EAP-MD5. I followed directives coming from > the link > > http://www.freeradius.org/doc/EAP-MD5.html, but I have some problems. In attach is > reported the output of radiusd -X. Could someone give a little look to it and help > me to understand the meaning of those messages? I don't understand for example why > there are message related to rlm_chap whereas rlm_eap is not mentioned. > > Thanks in advance, > > emi i think that your authenticate/authorize sections are not properly configured since the eap module is not involved in request processing. check the configuration. ciao artur > > ------------------------------------------------------------------------ > > rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144 > User-Name = "pippo" > Cisco-AVPair = "ssid=tsunami" > NAS-IP-Address = 172.31.71.202 > Called-Station-Id = "000bfd04198e" > Calling-Station-Id = "000b46563147" > NAS-Identifier = "AP1200-04198e" > NAS-Port = 37 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > EAP-Message = "\002\002\000\n\001pippo" > Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_chap: Could not find proper Chap-Password attribute in request > modcall[authorize]: module "chap" returns noop > modcall[authorize]: module "mschap" returns notfound > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched pippo at 65 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > rad_check_password: Found Auth-Type Local > Warning: Found 2 auth-types on request for user 'pippo' > auth: type Local > auth: No User-Password or CHAP-Password attribute in the request > auth: Failed to validate the user. > Delaying request 4 for 1 seconds > Finished request 4 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 186 to 172.31.71.202:1212 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 4 ID 186 with timestamp 3e63636b > Nothing to do. Sleeping until we see a request. -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules {... # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received # default_eap_type = md5 # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. # timer_expire = 60 # Supported EAP-types default_eap_type=md5 md5 { } authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. preprocess # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap counter attr_filter eap suffix files etc_smbpasswd # The ldap module will set Auth-Type to LDAP if it has not already been set ldap } authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. authtype PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. authtype CHAP { chap } # # MSCHAP authentication. authtype MS-CHAP { mschap } pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix # Uncomment it if you want to use ldap for authentication authtype LDAP { ldap } eap }