Hello Kasper.
Kaspar Landsberg pravi:
I successfully set up a WLAN/radius system with a Cisco AP-1100, Windows XP (securew2) and freeradius v1.0.0-pre3 using EAP/TTLS with PAP inside the tunnel.
But trying to use the same system with EAP/MD5 inside the tunnel instead of PAP (as suggested in the eap.conf file) gives me the following error:
--- radiusd -xx --- [...] TTLS: Got tunneled request EAP-Message = 0x0200000b01617074657374 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Got tunneled identity of aptest TTLS: Setting default EAP type for tunneled EAP session. TTLS: Sending tunneled request EAP-Message = 0x0200000b01617074657374 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "aptest" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched DEFAULT at 222 users: Matched DEFAULT at 225 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'aptest' auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Login incorrect: [aptest] (from client localhost port 0) TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject
[...]
I suppose that my "users" file is not correctly set up for EAP/TTLS with EAP/MD5 inside the tunnel:
SecureW2 supports EAP-TTLS-PAP and EAP-TTLS-EAP-<windows EAPs>, in your case EAP-TTLS-EAP-MD5. Please read the logfiles again, they clearly state you are having an EAP inside a tunnel and complain about double Auth-Type setting (EAP and System).
(anonymous is the UID used by securew2 for the outer identity.)
--- users --- anonymous
DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = yes
DEFAULT Auth-Type += System --- users ---
I'm pretty sure I'm missing something rather basic and simple. But up to now, this something has managed to escape my attention...
:)
-- Lep pozdrav, Rok Papez.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html