Hi all, I've try to setup a new freeradius server for my wireless users using WPA/WPA2 with 802.1x authentication. all the clients are using secureW2 to login. FYI, I've another freeradius which is currently run for EAPOL (802.1x over L2 switch) with EAP-MD5 and it is working fine for me. After trying for 2 weeks, I'm still cannot do EAP-TTLS with PAP for wireless. However, if I configure secureW2 to user EAP-TTLS with EAP-MD5 as inner tunnel, the user is able to authenticate.You may find my config as below. Looking for your kind assistance... thanks. radius.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd goup = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap ldap_1x { server = "localhost" identity = "cn=Manager,dc=." password = xxxxxxx basedn = "dc=ocesb,dc=com,dc=my,dc=." filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = radiusGroupName groupmembership_attribute = radiusGroupName groupmembership_filter = "(objectclass=radiusprofile)" timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files # sql Autz-Type LDAP1 { ldap_1x } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix #Auth-Type LDAP { # ldap # } # Auth-Type LDAP1 { # ldap_1x # } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql1 sql2 } session { radutmp sql1 } post-auth { } pre-proxy { } post-proxy { eap } eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = yes check_cert_cn = %{User-Name} } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } } users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP DEFAULT Realm == "ocesb.com.my", Autz-Type := LDAP1, Auth-Type := LDAP1 user.ldif dn: uid=user, ou=People, dc=ocesb, dc=com, dc=my, dc=. mailLocalAddress: [EMAIL PROTECTED] givenName: Tan Chee accountStatus: active radiusClass: 0x01 objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: radiusprofile objectClass: qmailUser objectClass: posixAccount objectClass: top objectClass: shadowAccount mailRoutingAddress: [EMAIL PROTECTED] mailQuotaSize: 2000000000 shadowLastChange: 12745 userPassword:: xxxxxx mailMessageStore: vmail/ocesb.com.my/user/Maildir/ uid: user mail: [EMAIL PROTECTED] uidNumber: 5000 cn: Tan Chee Keong dialupAccess: Yes loginShell: /bin/false gidNumber: 5000 shadowMax: 99999 gecos: Tan Chee Keong mailHost: mailpj.ocesb.com.my homeDirectory: /home/vmail/ocesb.com.my/user sn: Keong |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html