dear all, we, well shoudnt say we, i got stucked to this project of building a radius server for stopping some user NFS mount from MAC/IP spoofing on linux . We are hoping for wired dot1.x for radius server. [EMAIL PROTECTED] raddb]# rpm -qa |grep freeradius freeradius-mysql-1.0.4-1.FC4.1 freeradius-1.0.4-1.FC4.1 freeradius-postgresql-1.0.4-1.FC4.1 freeradius-unixODBC-1.0.4-1.FC4.1
we have a cisco 2950 switch running linux's freeradius, the clients will be linux box and windows box i actually got it to work before on Redhat Linux Enterprise 3 but then it doenst work anymore .. i m using a certificate to authenticate to radius server, eap/ttls Got it to work before then copy the config to different server, it doenst work anymore. I m using pk12 for windows keys, i also got the pk12 to work on linux's xsupplicant. [EMAIL PROTECTED] raddb]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/raddb" main: libdir = "/usr/local/lib" main: radacctdir = "/etc/raddb" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = yes main: log_stripped_names = yes main: log_file = "/var/log/raddb/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/raddb/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/etc/raddb/certs" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/masterkeys/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/masterkeys/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/masterkeys/cacert.pem" tls: private_key_password = "******" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/etc/raddb/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 130.95.x.25:1812, id=6, length=147 NAS-IP-Address = 130.95.x.25 NAS-Port = 50002 NAS-Port-Type = Ethernet User-Name = "host/CSSE Client" Called-Station-Id = "00-16-C7-12-AE-C2" Calling-Station-Id = "00-50-BA-7E-22-7C" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001501686f73742f4353534520436c69656e74 Message-Authenticator = 0xe66215ebe693583af7e7a74ffef7d4cb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 0 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 6 to 130.95.x.25:1812 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x468e8ff532b828abe82e074e9954e6fc Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.95.x.25:1812, id=7, length=224 NAS-IP-Address = 130.95.x.25 NAS-Port = 50002 NAS-Port-Type = Ethernet User-Name = "host/CSSE Client" Called-Station-Id = "00-16-C7-12-AE-C2" Calling-Station-Id = "00-50-BA-7E-22-7C" Service-Type = Framed-User Framed-MTU = 1500 State = 0x468e8ff532b828abe82e074e9954e6fc EAP-Message = 0x020100500d800000004616030100410100003d0301442c9afc9dea1262e7e0a4de122b8f69 c8a00c354a7c7b670e3991cbb65396c500001600040005000a00090064006200030006001300 1200630100 Message-Authenticator = 0x63a3a87e538a38b1ef9782fd0f6cb826 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 02cb], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a9], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 7 to 130.95.x.25:1812 EAP-Message = 0x010203d70d80000003cd160301004a020000460301442c9accea2351dd63f780655aaa8056 5a0f88362ecfadcc5fb500a4a21c70212042be4fa4618018294a134f8019f92b218025b2e45c eeae8604cff81ad1312ea100040016030102cb0b0002c70002c40002c1308202bd30820226a0 03020102020101300d06092a864886f70d0101040500308197310b3009060355040613024155 310b3009060355040813025741310e300c060355040713055045525448310c300a060355040a 1303555741310d300b060355040b130443535345312630240603550403131d7261646975732d 7365727665722e637373652e7577612e6564752e617531263024 EAP-Message = 0x06092a864886f70d0109011617737570706f727440637373652e7577612e6564752e617530 1e170d3036303333303037353832385a170d3037303333303037353832385a308197310b3009 060355040613024155310b3009060355040813025741310e300c060355040713055045525448 310c300a060355040a1303555741310d300b060355040b130443535345312630240603550403 131d7261646975732d7365727665722e637373652e7577612e6564752e61753126302406092a 864886f70d0109011617737570706f727440637373652e7577612e6564752e617530819f300d 06092a864886f70d010101050003818d00308189028181009eed EAP-Message = 0x0d14ac1f27a76de23f02b065887b6e10f8122a3516a023db9bf070de3782f2979c674ce799 6ffa4a49c8d0dbd29a49a1e534da62ba535b8d245262e18852192fbb376464776f8e3f3afe23 c2e8d432bd00f73281b296293da081080d58901a9d3daacac45ec8e83be3485044054d8b1444 5751cf5c497523c0f322d14b7f0203010001a317301530130603551d25040c300a06082b0601 0505070301300d06092a864886f70d010104050003818100d5d6082cabbbe853812b0395b4f0 b589ff7e7bd6e2be72f7d5684027a4fb9354a293c3a2963f77689b1bb55c7d39c8d6d85f18d5 fba53bb6f47299c5d4c3cca09d2bf5ac7b1d6c23469f4b586829 EAP-Message = 0xbe08cd401b76724fb6c95da6ea38d1207711de4241c30db480d766dbea06c9549bccb10e77 c9841f4249e021c71b23ac21ff16030100a90d0000a1020102009c009a308197310b30090603 55040613024155310b3009060355040813025741310e300c060355040713055045525448310c 300a060355040a1303555741310d300b060355040b130443535345312630240603550403131d 7261646975732d7365727665722e637373652e7577612e6564752e61753126302406092a8648 86f70d0109011617737570706f727440637373652e7577612e6564752e61750e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbea1a78423928831b0f8befbe6e01f2b Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.95.x.25:1812, id=8, length=150 NAS-IP-Address = 130.95.x.25 NAS-Port = 50002 NAS-Port-Type = Ethernet User-Name = "host/CSSE Client" Called-Station-Id = "00-16-C7-12-AE-C2" Calling-Station-Id = "00-50-BA-7E-22-7C" Service-Type = Framed-User Framed-MTU = 1500 State = 0xbea1a78423928831b0f8befbe6e01f2b EAP-Message = 0x020200060d00 Message-Authenticator = 0x9c6a5c72722c135212a282ae89f03a58 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 8 to 130.95.x.25:1812 EAP-Message = 0x0103000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29148f4232b7bd94658abe9cb6bd0933 Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 442c9acc Cleaning up request 1 ID 7 with timestamp 442c9acc Cleaning up request 2 ID 8 with timestamp 442c9acc Nothing to do. Sleeping until we see a request. Many thanks in advance Sam Tie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html