On Wed, 2007-08-29 at 11:41 -0500, John C. Koen wrote: > I am running freeradius-1.0.4 on SLES10, XP supplicant and Cisco Aironet 1200 > AP. > > My goal is to authenticate against the "users" file and use WEP with eap-tls. > I am trying to support Windows CE, and PEAP is not an option.
There's so much wrong I don't know where to begin. > > > users: > 0213dec2114a Auth-Type:=Accept > Service-Type = Framed-User, > Tunnel-Private-Group-ID := 116, > Tunnel-Medium-Type := IEEE-802 This looks like a mac-address-based authentication, not EAP. You can't force Auth-Type to Accept for EAP. EAP is a challenge-response protocol, and the server needs to do it's thing for the client to function. Remove the Auth-Type if you're trying to do EAP. Please also be aware that most NASes will require the "Tunnel-Type = VLAN" reply attribute for VLAN assignment. > > eap.conf: > eap { > default_eap_type = tls > tls { > private_key_password = secret > private_key_file = > ${raddbdir}/certs/private/radius.key > certificate_file = /etc/raddb/certs/radius.crt > > # Trusted Root CA list > CA_file = /etc/raddb/certs/CA.crt > > dh_file = ${raddbdir}/certs/dh > random_file = /etc/raddb/certs/random > fragment_size = 1024 > include_length = yes > } > } > > > radiusd.conf: > authorize { > auth_log > files > eap > } > > authenticate { > eap > } > > I have uploaded both the CA andd certificate file to the supplicant, as > trusted certificates. For some reason, I continue to see the balloon from > windows indicating that a valid certificate could not be found for comparison. > I have followed the PDF instructions found in EAPTLS.pdf. > > Here is a sample of my radiusd -X -s logs: > > rad_recv: Access-Request packet from host 192.168.214.99:1645, id=39, > length=115 > User-Name = "0213dec2114a" > User-Password = "Qp\203e\206%\010`\256\243\203u;\362\321\017" > Called-Station-Id = "0014.6a73.6110" > Calling-Station-Id = "0213.dec2.114a" > Service-Type = Login-User > NAS-Port-Type = Wireless-802.11 > NAS-Port = 551 > NAS-IP-Address = 192.168.214.99 > NAS-Identifier = "AP-99" This is not an EAP authentication; your NAS (wireless AP) is not doing EAP. Make it do EAP if you want to do EAP. > rad_rmspace_pair: User-Password now 'Qp?d?%?`?u;?' > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 2 > radius_xlat: '/var/log/radius/radius-MAC/radacct/auth-detail-20070829' > rlm_detail: > /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to /var/log/radius/radius-MAC/radacct//auth-detail-20070829 > modcall[authorize]: module "auth_log" returns ok for request 2 > users: Matched entry 0213dec2114a at line 38 > modcall[authorize]: module "files" returns ok for request 2 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 2 > modcall: group authorize returns ok for request 2 > rad_check_password: Found Auth-Type Accept > rad_check_password: Auth-Type = Accept, accepting the user > Processing the post-auth section of radiusd.conf > modcall: entering group post-auth for request 2 > radius_xlat: '/var/log/radius/radius-MAC/radacct/reply-detail-20070829' > rlm_detail: > /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d > expands to /var/log/radius/radius-MAC/radacct/reply-detail-20070829 > modcall[post-auth]: module "reply_log" returns ok for request 2 > modcall: group post-auth returns ok for request 2 > Sending Access-Accept of id 39 to 192.168.214.99:1645 > Service-Type = Framed-User > Tunnel-Private-Group-Id:0 := "116" > Tunnel-Medium-Type:0 := IEEE-802 > Finished request 2 > Going to the next request > --- Walking the entire request list --- > > ...this transaction is repeated over and over and over again. > > I have also tried commenting out all instances of "eap" from radiusd.conf, > hoping > to do non-wep mac address authentication, as a list effort. I then remove > WEP support from the supplicant and Cisco AP. While freeradius reports > "access-accept", the supplicant hangs on obtaining an ip address (with no > related > logs shown on my dhcp server) and the cisco AP reports "GMT: > %DOT11-7-AUTH_FAILED: > Station 0213.dec2.114a Authentication failed" > > --johnk > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html