RE: Freeradius PEAP Problems

Mon, 09 Feb 2004 09:01:15 -0800 

Activated the TTLS module:

ttls {
        default_eap_type = md5
        use_tunneled_reply = no
}

and it's all.


Lionel Gavage

-----Message d'origine-----
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


Hi Lionel!!!!!!!!!!!!!!


I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:

--------------------
 # Extensible Authentication Protocol
        #
        #  For all EAP related authentications
        eap {
                # Invoke the default supported EAP type when
                # EAP-Identity response is received
                default_eap_type = tls

                # Default expiry time to clean the EAP list,
                # It is maintained to co-relate the
                # EAP-response for each EAP-request sent.
                timer_expire     = 60

                # Supported EAP-types
                #md5 {
                #}

                ## EAP-TLS is highly experimental EAP-Type at the moment.
                #       Please give feedback on the mailing list.
                tls {
                        private_key_password = izadisan
                        private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem

                #       If Private key & Certificate are located in the
                #       same file, then private_key_file & certificate_file
                #       must contain the same file name.
                        certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem

                #       Trusted Root CA list
                        CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt

                        dh_file = /usr/local/openssl/ssl/certs/dh
                        random_file = /usr/local/openssl/ssl/certs/random
                #
                #       This can never exceed MAX_RADIUS_LEN (4096)
                #       preferably half the MAX_RADIUS_LEN, to
                #       accomodate other attributes in RADIUS packet.
                #       On most APs the MAX packet length is configured
                #       between 1500 - 1600. In these cases, fragment
                #       size should be <= 1024.
                #
                        fragment_size = 600

                #       include_length is a flag which is by default set to
yes
                #       If set to yes, Total Length of the message is
included
                #       in EVERY packet we send.
                #       If set to no, Total Length of the message is
included
                #       ONLY in the First packet of a fragment series.
                #
                        include_length = yes
                }
        }
------------------------------

What changes I need to use TTLS?



Thanks in advance Lionel!!!!!!!



José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
----- Original Message -----
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems


> Hi,
>
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.
>
> Extract of the log:
>
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 6
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
> modcall: entering group Auth-Type for request 6
> rlm_mschap: We require a User-Name for MS-CHAPv2
>   modcall[authenticate]: module "mschap" returns invalid for request 6
> modcall: group Auth-Type returns invalid for request 6
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 6
> modcall: group authenticate returns reject for request 6
> auth: Failed to validate the user.
>   PEAP: Got tunneled reply RADIUS code 3
>         EAP-Message = 0x04080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
>   modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 179 to 139.165.212.248:21648
>         EAP-Message =
>
0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703
> 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x13eb44c46fbe30f082eaf7522f3c315e
> Finished request 6
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 139.165.212.248:21648, id=180,
> length=168
>         User-Name = "lga"
>         Framed-MTU = 1400
>         Called-Station-Id = "000c.304f.75da"
>         Calling-Station-Id = "000c.3052.9812"
>         Message-Authenticator = 0x9f589078de1b5fe1cd17051ba032b42f
>         EAP-Message =
>
0x0209002b19001703010020cd5ff5c0835b2f6cf5ae3109a04b77c096854a1ed328bb820781
> ea790d6c1f6a
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 314
>         State = 0x13eb44c46fbe30f082eaf7522f3c315e
>         Service-Type = Framed-User
>         NAS-IP-Address = 139.165.212.248
> modcall: entering group authorize for request 7
>   modcall[authorize]: module "preprocess" returns ok for request 7
>   modcall[authorize]: module "chap" returns noop for request 7
>   modcall[authorize]: module "mschap" returns noop for request 7
>     rlm_realm: No '@' in User-Name = "lga", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 7
>   rlm_eap: EAP packet type response id 9 length 43
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 7
>     users: Matched lga at 54
>   modcall[authorize]: module "files" returns ok for request 7
> modcall: group authorize returns updated for request 7
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 7
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
>   eaptls_verify returned 7
>   rlm_eap_tls: Done initial handshake
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Proceeding to decode tunneled
> attributes.
>
>   rlm_eap_peap: Received EAP-TLV response.
>   rlm_eap_peap: Tunneled data is valid.
>   rlm_eap_peap:  Had sent TLV failure, rejecting.
>  rlm_eap: Handler failed in EAP/peap
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 7
> modcall: group authenticate returns invalid for request 7
> auth: Failed to validate the user.
> Delaying request 7 for 1 seconds
> Finished request 7
> Going to the next request
> Waking up in 6 seconds...
>
>
> By hoping that you can help me ...
>
>
> Lionel Gavage
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to