i set up a freeradius server (suse 9.0 freeradius-snapshot-20040119 + openssl-0.9.7c), to authenticate wireless windows (Windows 2000, XP) based clients with 802.1x. On my AccessPoint (a WLAN Router with DHCP, NAT) SMC2804WBR v2 802.1x Authentication is supported and is set up to use the radius server with the specified secret. To test all things, i use a WinXP laptop (SP1) with D-Link DWL G650+ inserted.
In programming language, the paket from the AP to Radius will encapsulated like:
RADIUS ( EAP ( MSCHAPv2 ) )
where EAP will be "Secure EAP" PEAP. Please tell me if i'm wrong!!!!!!!!
My setup of the RADIUS is oriented on this, i used only the things where i think that i need them to eliminate other error-sources.
I have read all relevant mails about these topicand experimented with many snapshots before, but found none to help at this last step. TLS is running, but authentication will not work:
My problem (full logs listed below):
rlm_mschap: No MS-CHAP-Challenge in the request
My setup:
XP-Laptop:
-[WEP] activated
-[Networkauthentication (common mode)] deactivated
-[key automatically provided] activated
-[IEEE 802.1x Authentivation activate] set with EAP (PEAP) --> [test Servercertificate] deactivated, [Secure password MSCHAPv2] activated
On the AccessPoint, the NAS-Identifier was set tp "port", beacause a value must be entered. The other Options (secret, ports and ip) was set as required.
RADIUS [freeradius-snapshot-20040119] + [openssl-0.9.7c]:
-set up EAP-TLS with help of http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm wich works fine.
-set up the testuser
-commented out "not needed" modules
---> played with options
mschap: use_mppe
mschap: require_encryption
mschap: require_strong
If anyone have set up this authentication method completely working, please post all relevant stuff, you will help me verry much! But please quote only the relevant text from my mail, i know what i have written
Greatest Thanks for replies and to the complete list, your help is unpayable!
The Files and Logs (comments deleted): #### radiusd.conf ####
prefix = /usr/local/radius exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad
security { max_attributes = 200 reject_delay = 1 status_server = no }
proxy_requests = yes $INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no $INCLUDE ${confdir}/snmp.conf
thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 }
modules { eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes tls { private_key_password = whatever private_key_file = /etc/1x/Radius.pem certificate_file = /etc/1x/Radius.pem CA_file = /etc/1x/root.pem dh_file = /etc/1x/DH random_file = /etc/1x/random fragment_size = 1024 include_length = yes }
peap { default_eap_type = mschapv2 }
mschapv2 { }
}
mschap { authtype = MS-CHAP }
preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no }
files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no }
detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 }
acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP- Address, NAS-Port" }
radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" }
radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" }
attr_filter { attrsfile = ${confdir}/attrs } }
instantiate { }
authorize { preprocess eap files }
authenticate { Auth-Type MS-CHAP { mschap } }
preacct { preprocess }
accounting { }
session { }
post-auth { }
pre-proxy { }
post-proxy { }
#######################
#### users #####
"tester" Auth-Type :=MS-CHAP, User-Password == "test"
DEFAULT Auth-Type = System Fall-Through = 1
DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
###############################
##### Start of radius ######
linux:/usr/local/radius # sh run-radius -X -A -f
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/Radius.pem"
tls: certificate_file = "/etc/1x/Radius.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
###########################
###### The request ###########
rad_recv: Access-Request packet from host [The Access Point], id=92, length=95
User-Name = "tester"
NAS-IP-Address = [IP]
NAS-Identifier = "port"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x025c000b01746573746572
Message-Authenticator = 0x0c004aee29dc8c69026755e5c71f3a05
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 92 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched tester at 143
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 0
rlm_mschap: No MS-CHAP-Challenge in the request
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 92 to [IP]
Waking up in 4 seconds...
#############################
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html