Be sure you have added the CA certificate into the trusted root store on your windows machine. If you haven't, your PEAP conversation will stop at this point (right after receiving the EAP-Identity response).
--Mike On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote: > Hello Rinaldo- > > I tried what you told me, and it did not help. > > I'm looking at the log here, and see that it is building the TLS > connection, but it is not going to the next step, whatever that may be. > > The XP machine just sits at "Attempting to authenticate" > > If I do a packet dump, then I am able to see the traffic go back and > forth, with no NAKs. I even tried setting a static IP for the machine. > > Is there something that I am missing? > > -Mark > > /root/start-rad -sAX > + LD_LIBRARY_PATH=/usr/lib > + LD_PRELOAD=/usr/lib/libcrypto.so > + export LD_LIBRARY_PATH LD_PRELOAD > + radiusd -sAX > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_destination = "files" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: debug_level = 0 > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = no > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > mschap: ntlm_auth = "(null)" > Module: Instantiated mschap (mschap) > Module: Loaded eap > eap: default_eap_type = "peap" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = yes > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "Local" > rlm_eap: Loaded and initialized type gtc > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" > tls: private_key_password = "kickass" > tls: dh_file = "/usr/local/etc/raddb/certs/dh" > tls: random_file = "/usr/local/etc/raddb/certs/random" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > rlm_eap: Loaded and initialized type tls > peap: default_eap_type = "mschapv2" > peap: copy_request_to_tunnel = no > peap: use_tunneled_reply = no > peap: proxy_tunneled_request_as_eap = yes > rlm_eap: Loaded and initialized type peap > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no > Module: Instantiated realm (suffix) > Module: Loaded detail > detail: detailfile = > "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded radutmp > radutmp: filename = "/usr/local/var/log/radius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Listening on authentication *:1812 > Listening on accounting *:1813 > Listening on proxy *:1814 > Ready to process requests. > > > > rad_recv: Access-Request packet from host 24.140.1.84:32805, id=1, > length=121 > User-Name = "hoffer" > NAS-IP-Address = 24.140.1.84 > Called-Station-Id = "00026f3033c7" > Calling-Station-Id = "009096ae41d0" > NAS-Identifier = "ap" > NAS-Port = 29 > Service-Type = Framed-User > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > EAP-Message = 0x0200000b01686f66666572 > Message-Authenticator = 0x3f2fdd17530dc1a76450f99c18cea7ed > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > users: Matched hoffer at 1 > modcall[authorize]: module "files" returns ok for request 0 > rlm_eap: EAP packet type response id 0 length 11 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 0 > modcall: group authorize returns updated for request 0 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns handled for request 0 > modcall: group authenticate returns handled for request 0 > Sending Access-Challenge of id 1 to 24.140.1.84:32805 > EAP-Message = 0x010100061920 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x175b2c823bd214971c931677ce1a257d > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > > > > On Wed, 2004-07-07 at 10:47, Rinaldo Bergamini wrote: > > Hi Mark! > > > > Mark Hoffer wrote: > > > peap: default_eap_type = "gtc" > > > > try changing to default_eap_type = "mschapv2" in the PEAP section of the > > eap.conf . This must also be specified in the win xp network propreties. > > > > Hope this helps... > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike ----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html