|
Hi alllllll !!!!!!!!!!!
I use: freeradius-snapshot-20040216,
openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP
client
I would like to run PEAP but freeradius show me the
following error. Please, look my authenticate and authorize
modules!!!
any idea??
thanks in advance!!!
freeradius logs
--------------------------------------
S-IP-Address =
192.168.49.252
NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1C-44" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a State = 0x112e15244708c595cec067388e416f35 Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681 modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 rlm_realm: No '@' in User-Name = "111111111119", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... radiusd.conf
-----------------------------------------
modules {
# # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # below for an example. # # PAP module to authenticate users based on
their stored password
# # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt # md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = crypt } # CHAP module
# # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } # Pluggable Authentication
Modules
# # For Linux, see: # http://www.kernel.org/pub/linux/libs/pam/index.html # # WARNING: On many systems, the system PAM libraries have # memory leaks! We STRONGLY SUGGEST that you do not # use PAM for authentication, due to those memory leaks. # pam { # # The name to use for PAM authentication. # PAM looks in /etc/pam.d/${pam_auth_name} # for it's configuration. See 'redhat/radiusd-pam' # for a sample PAM configuration file. # # Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one. # pam_auth = radiusd } # Unix /etc/passwd style
authentication
# unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. # # For FreeBSD, you do NOT want to enable the cache, # as it's password lookups are done via a database, so # set this value to 'no'. # # Some systems (e.g. RedHat Linux with pam_pwbd) can # take *seconds* to check a password, from a passwd # file containing 1000's of entries. For those systems, # you should set the cache value to 'yes', and set # the locations of the 'passwd', 'shadow', and 'group' # files, below. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds
(10mins). 0 to disable.
cache_reload = 600 #
# Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # # To force the module to use the system password functions, # instead of reading the files, leave the following entries # commented out. # # This is required for some systems, like FreeBSD, # and Mac OSX. # passwd = /etc/passwd shadow = /etc/shadow group = /etc/group # # Where the 'wtmp' file is located. # This should be moved to it's own module soon. # # The only use for 'radlast'. If you don't use # 'radlast', then you can comment out this item. # radwtmp = ${logdir}/radwtmp } # Extensible Authentication
Protocol
# # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # default_eap_type = tls # Default expiry time to clean
the EAP list, It is
# maintained to correlate the EAP-Response for each # EAP-request sent. timer_expire = 60 ignore_unknown_eap_types = no # Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco
LEAP
# # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # leap { } ## EAP-TLS is highly experimental
EAP-Type at the moment.
# Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key &
Certificate are located in
# the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA
list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem dh_file =
/usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # fragment_size = 1024 # include_length is a
flag which is
# by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # include_length = yes } #ttls { # default_eap_type=md5 # copy_request_to_tunnel = no # use_tunneled_reply=no #} #peap { # default_eap_type=mschapv2 #} #mschapv2 { #} peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes } mschapv2 { } } # Microsoft CHAP
authentication
# # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # authtype value, if present, will be
used
# to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = no # if mppe is enabled require_encryption
makes
# encryption moderate # require_encryption = yes # require_strong always requires 128
bit key
# encryption # require_strong = yes } authorize {
preprocess #
# If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # attr_filter
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. eap #
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line. # digest #
# Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # realmslash suffix #
# Read the 'users' file files #
# If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd #
# If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # The ldap module will set Auth-Type to LDAP if it has not already been set # ldap # daily } # Authentication. # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that you have to have a module from the 'authorize' section add # a configuration attribute 'Auth-Type := FOO'. That authentication type # is then used to pick the apropriate module from the list below. # # The default Auth-Type is Local. That is, whatever is not included inside # an authtype section will be called only if Auth-Type is set to Local. # # So you should do the following: # - Set Auth-Type to an appropriate value in the authorize modules above. # For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc. # - After that create corresponding authtype sections in the # authenticate section below and call the appropriate modules. authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } #
# Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } #
# MSCHAP authentication. Auth-Type MS-CHAP { mschap } #
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line. # digest #
# Pluggable Authentication Modules. # pam #
# See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix # Uncomment it if you want to use ldap for
authentication
# Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap } José Luis Solano
SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 |
- Re: EAP-PEAP Problems: "module "eap" retur... José Luis Solano
- Re: EAP-PEAP Problems: "module "eap" ... Michael Griego
