hi summarizing:
- freeradius authenticates the user - windows XP "thinks that it is authenticated", so it has received the EAP Success message right? then, except your AP implementation is broken or some incompatible L2 features are activated on the two ends of your L2-link, your L2 link should be established. thus, any further problems should be L3 problems: incorrect address, dead DHCP, wrong routes, i don't know what. anyway, make sure the above assumptions are true. windows sometimes shows "connected" symbol although it DOES NOT "think" that it is authenticated correclty. the status of the authentication can be found in your Network device list. if the assumptions are true, then let me put it this way: - EITHER your AP is broken or your link improperly configured - OR your network/windows XP are not IP-configured correctly choose one... for troubleshooting: can you connect without problems when no EAP is activated? deactivate EAP on your access point *without touching anything else* and see if you can connect with your windows. if not you have identified your problem. it is difficult to deduce more from what we know so far... ciao artur Israel Cardenas Romero wrote: > > Hi, > > i'm trying FreeRADIUS with HostAP and OpenLDAP to build a 'secure' AP. > I've configured it to work with EAP-TLS and it work's fine with the Windows > XP supplicant. > But if I configure it to work with EAP-MD5, it seems not to work: > - the Windows XP client is configured with EAP-MD5 > - it takes login and password from user > - FreeRADIUS seems to validate him correctly (here is the log): > > rad_recv: Access-Request packet from host 192.168.49.222:1029, id=3, > length=231 > User-Name = "Nombre2 Apellido2" > NAS-IP-Address = 192.168.49.222 > NAS-Port = 1 > Called-Station-Id = "00-50-C2-10-92-82:SecureAP" > Calling-Station-Id = "00-0B-46-26-1B-E2" > Framed-MTU = 2304 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > EAP-Message = > "\002\004\000'\004\020\226f\026\271\\\235\202\247\206~^\367\026pV\242Nombre2 > Apellido2" > State = > 0x548fc174e88138adeecadde08ef4263f2e078b3ee6798cd2f2fd877659244ef7889a108c > Message-Authenticator = 0x3da5ed71acd933e4d3f404747dae12ee > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_ldap: - authorize > rlm_ldap: performing user authorization for Nombre2 Apellido2 > radius_xlat: '(uid=Nombre2 Apellido2)' > radius_xlat: 'ou=Wireless,dc=sgi,dc=es' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter > (uid=Nombre2 Apellido2) > rlm_ldap: Added password izadisan in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding radiusExpiration as Expiration, value 11 & op=21 > rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user Nombre2 Apellido2 authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - md5 > rlm_eap: processing type md5 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Sending Access-Accept of id 3 to 192.168.49.222:1029 > EAP-Message = "\003\004\000\004" > Message-Authenticator = 0x00000000000000000000000000000000 > Finished request 30 > Going to the next request > Waking up in 6 seconds... > > - Windows XP client thinks itself it's authenticated, because don't try to > login more > - but the network is not accesible for the client... -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
