Hi Alan,
Thanks alot for your reply. I really appreciate that
and it was a great help for me. I took off the
Auth-Type := MS-CHAP from the user bob and also
changed the configuration in the HP switch (aaa
authentication port-access eap-radius).
I think I have moved now one step further as I am not
getting the same errors anynoe.
Now the debug log from Radiusd -X shows the following
messages,
--------------------------------------------
[EMAIL PROTECTED] root]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
/usr/local/etc/raddb/proxy.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file:
/usr/local/etc/raddb/snmp.conf
Config: including file:
/usr/local/etc/raddb/eap.conf
Config: including file:
/usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir =
"/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
"/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will
go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/khurram.pem"
tls: certificate_file = "/etc/1x/khurram.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
"/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile =
"/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile =
"/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
"/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host
10.0.1.20:1024, id=247, length=198
Framed-MTU = 1480
NAS-IP-Address = 10.0.1.20
NAS-Identifier = "Lower_Switch"
User-Name = "bob"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-01-e6-bd-7a-22"
Calling-Station-Id = "00-0f-1f-9e-07-49"
Connect-Info = "CONNECT Ethernet 100Mbps Full
duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "30"
EAP-Message = 0x0201000801626f62
Message-Authenticator =
0x2a46e7fe66f05b17259537e545d6abcc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok
for request 1
modcall[authorize]: module "chap" returns noop for
request 1
modcall[authorize]: module "mschap" returns noop for
request 1
rlm_realm: No '@' in User-Name = "bob", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 1
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 1
users: Matched bob at 100
radius_xlat: 'Hello, bob'
modcall[authorize]: module "files" returns ok for
request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: No such EAP type peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid
for request 1
modcall: group authenticate returns invalid for
request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
-----------------------------------
I still did not change the eap.conf file as I am not
sure where exactly to add "default_eap_type = peap".
As you suggested in your last message, I should do
"peap" and "mschapv2" inside of TLS. I tried to put
"default_eap_type = peap" under tls like this but I
still got the erros as shown above in Radiusd -X log,
Here is my eap.conf,
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
default_eap_type = peap #### I added this line here ##
private_key_password = whatever
private_key_file = /etc/1x/khurram.pem
certificate_file = /etc/1x/khurram.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
}
}
I wonder where exactly should I add this
"default_eap_type = peap" and if "default_eap_type =
mschapv2" is added at the right place in eap.conf or
not. I also am not sure if this is the source of the
problem or not. Your help in this regard will be
highly appreciated.
Best Regards
//Khurram
Khurram Jahangir <[EMAIL PROTECTED]> wrote:
> I am a new user on this mailing list and I am facing
> some problems while trying to use PEAP and
freeradius.
Ok...
> modcall: entering group Auth-Type for request 8
> rlm_mschap: No MS-CHAP-Challenge in the request
You set "Auth-Type := MS-CHAP". DON'T DO THAT.
> I tried it without mentioning any Auth-Type and then
> the server takes it as CHAP by default and it works.
Only if the client sends CHAP requests. If it sends
EAP requests,
then EAP would work.
> In eap.conf, under eap, if i change
"default_eap_type"
> to peap, the I get the following error while running
> Radiusd and it crashes
>
> rlm_eap: Loaded and initialized type tls
> rlm_eap: No such sub-type for default EAP type peap
> radiusd.conf[9]: eap: Module instantiation failed.
Yes... you edited the default "eap.conf" to break
it. You put
"peap" and "mschapv2" inside of the "tls" section.
They are NOT in
the tls section in the default eap.conf.
Alan DeKok.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
