Re: My problem with PEAP

Thu, 20 Nov 2003 13:03:11 -0800 

Hey guys,

    I reconfigured from the default  radiusd.conf file and did this test again
with the same strange results from peap.  I could certainly be doing something
stupid and would appreciate any further feedback.   I have included my
radiusd.conf file and a new tcpdump from the server.

Sorry for the attachments.

Best wishes,


-=Bill


Michael Griego wrote:

> On Wed, 2003-11-19 at 13:09, Alan DeKok wrote:
> >   From the debug output, it looks like you've managed to make the
> > server call the EAP module *twice* for the request, during the
> > "authenticate" stage.  I have no clue how you managed to do this, but
> > it's definitely wrong.
>
> That's exactly what I'm seeing.
>
> Bill, You didn't by chance put "authorize" or an Autz-Type in the
> "authenticate" section did you?  Based on the trace, it really looks
> like this is what happened.  The server jumps into the authorize section
> upon receiving the request (as normal), then begins the authenticate
> phase, but it then jumps BACK into an authorize block again before
> coming back out of all the mess.
>

I double checked the syntax and don't think I was doing anything like above.


>
> --
>
> --Mike
>
> -----------------------------------
> Michael Griego
> Wireless LAN Project Manager
> The University of Texas at Dallas
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ôò¡ê½?íYÈÈøf0¶À~ Eºú>?tÑ?BØ       
â¦UT?/ssÒ°©+¶°?Ûy÷.Ywer  
ssid=Ntelos_AP_01Ñ?B000dbda1f1e9000dbd05196d uncklejam.cstone.net%
x=O
[EMAIL PROTECTED]@N¯Ø        Ñ?BâbgúTZm^zÖ?ìǾÚ-?·µsO PÎé|¯
â ÏV}TlÐÚá?j×ß)?Í»ÞÏ;O Cùj?ñ|~Üûñ Üó
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = yes
lower_user = before
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = no
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                md5 {
                }
                leap {
                }
                tls {
                        private_key_password = thinngything
                        private_key_file = /usr/local/etc/raddb/blah.key
                        certificate_file = /usr/local/etc/raddb/blah.crt
                        CA_file = /usr/local/etc/raddb/blah.cacrt
                        dh_file = /usr/local/etc/raddb/my_imap.dh
                        random_file = /usr/local/etc/raddb/random
                        fragment_size = 1024
                        include_length = yes
                        check_crl = yes
                }
                           
                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }
        mschap {
                authtype = MS-CHAP
                
        }
        realm suffix {
                format = suffix
                delimiter = "@"
        }
        
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = yes
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = yes
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        detail auth_log {
                detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
                detailperm = 0600
         }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, 
NAS-Port-Id"
        }
        $INCLUDE  ${confdir}/sql.conf
                perm = 0600
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
        }
}
instantiate {
        expr
}
authorize {
        preprocess
        auth_log
        
        chap
        eap
        suffix
        files
        mschap
}
authenticate {
        eap
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
}
preacct {
        preprocess
        suffix
        files
}
accounting {
        acct_unique
        detail
}
post-auth {
}
pre-proxy {
}
post-proxy {
        eap
}

Reply via email to