and then, is your user configured properly? Auth-Type := Local?
ciao artur
[EMAIL PROTECTED] wrote:
yes I also think there's something wrong in the configuration. I put in attach my authorize/authenticate section configuration. Where do you think I'm getting wrong??
Thank you very much for your help!! emi
hi
comments inline.
I'm trying to authenticate a client with EAP-MD5. I followed directives coming from the link
http://www.freeradius.org/doc/EAP-MD5.html, but I have some problems. In attach is reported the output of radiusd -X. Could someone give a little look to it and help me to understand the meaning of those messages? I don't understand for example why there are message related to rlm_chap whereas rlm_eap is not mentioned.
Thanks in advance,
emi
i think that your authenticate/authorize sections are not properly configured since the eap module is not involved in request processing.
check the configuration.
ciao artur
------------------------------------------------------------------------
rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144 User-Name = "pippo" Cisco-AVPair = "ssid=tsunami" NAS-IP-Address = 172.31.71.202 Called-Station-Id = "000bfd04198e" Calling-Station-Id = "000b46563147" NAS-Identifier = "AP1200-04198e" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\002\000\n\001pippo" Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched pippo at 65 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type Local Warning: Found 2 auth-types on request for user 'pippo' auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 186 to 172.31.71.202:1212 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 186 with timestamp 3e63636b Nothing to do. Sleeping until we see a request.
------------------------------------------------------------------------
modules {...
# Extensible Authentication Protocol
#
# For all EAP related authentications eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
# default_eap_type = md5
# Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. # timer_expire = 60
# Supported EAP-types
default_eap_type=md5 md5 { }
authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. preprocess # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap
# # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap
counter attr_filter
eap
suffix files etc_smbpasswd
# The ldap module will set Auth-Type to LDAP if it has not already been set
ldap
}
authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. authtype PAP { pap }
# # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. authtype CHAP { chap }
# # MSCHAP authentication. authtype MS-CHAP { mschap }
pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
# unix
# Uncomment it if you want to use ldap for authentication authtype LDAP { ldap }
eap
}
-- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html