> have you tested from a non windows box to ensure that you havent fallen foul > of the usual EAP problems - as clearly noted at the top of eap.conf? No, I am not able to do so as i do not have an extra box's. I have searched through all configurations to make sure that 'Auth-Type := EAP' is not set as stated in the eap.conf ______________________ eap.conf ______________________ eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types md5 { } # Cisco LEAP leap { } # Generic Token Card. gtc { #challenge = "Password: " auth_type = PAP } ## EAP-TLS tls { private_key_password = demo private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt CA_file = ${certsdir}/FreeRADIUS.net-CA.crt dh_file = ${certsdir}/dh random_file = ${certsdir}/random # fragment_size = 1024 # include_length = yes # check_crl = yes check_cert_cn = %{User-Name} } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } ------------------------------------------------------------------------ I am not using LDAP or a Windows Domain Controller. I am using the users.conf file for this. ______________ eap.conf ________________ 53986067 User-Password := "whatever" #53986067 Cleartext-Password := "whatever" testuser User-Password == "testpw" DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP ----------------------------------------------------------------------------------------------- _______________ radiusd.conf ________________ prefix = .. exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid #user = nobody #group = nobody max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { #use_mppe = no #require_encryption = yes #require_strong = yes with_ntdomain_hack = yes #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # password_attribute = userPassword # edir_account_policy_check=no # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # set_auth_type = yes } #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} #passwd etc_group { # filename = /etc/group # format = "=Group-Name:::*,User-Name" # hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes # delimiter = ":" #} realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string #notfound-reject = no } #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to the original string # append = no #} preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log detailperm = 0777 #suppress { # User-Password #} } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.log detailperm = 0777 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d.log detailperm = 0777 } detail pre_proxy_log { detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log detailperm = 0777 } detail post_proxy_log { detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d.log detailperm = 0777 } # sql_log { # path = ${radacctdir}/sql-relay # acct_table = "radacct" # postauth_table = "radpostauth" # # Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ # NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ # AcctSessionTime, AcctTerminateCause) VALUES \ # ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ # '%{Framed-IP-Address}', '%S', '0', '0', '');" # Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ # NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ # AcctSessionTime, AcctTerminateCause) VALUES \ # ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ # '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ # '%{Acct-Terminate-Cause}');" # Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ # NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ # AcctSessionTime, AcctTerminateCause) VALUES \ # ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ # '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" # # Post-Auth = "INSERT INTO ${postauth_table} \ # (user, pass, reply, date) VALUES \ # ('%{User-Name}', '%{User-Password:-Chap-Password}', \ # '%{reply:Packet-Type}', '%S');" # } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0777 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0777 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } #sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily # For mysql: # query = "SELECT SUM(AcctSessionTime - \ # GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ # FROM radacct WHERE UserName='%{%k}' AND \ # UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" # For postgresql: # query = "SELECT SUM(AcctSessionTime - \ # GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \ # FROM radacct WHERE UserName='%{%k}' AND \ # AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'" # For mysql: # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ # UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" # For postgresql: # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ # UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'" # For mysql: # query = "SELECT SUM(AcctSessionTime) FROM radacct \ # WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \ # FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" # For postgresql: # query = "SELECT SUM(AcctSessionTime) FROM radacct \ # WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \ # BETWEEN '%b' AND '%e'" # } # sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ # GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ # FROM radacct WHERE UserName='%{%k}' AND \ # UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ # UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" # query = "SELECT SUM(AcctSessionTime) FROM radacct \ # WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \ # FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" # } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply #packet_type = Access-Accept } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } # $INCLUDE ${confdir}/sqlippool.conf # $INCLUDE ${confdir}/otp.conf } instantiate { exec expr # daily } authorize { preprocess auth_log # attr_filter chap mschap # digest # IPASS suffix # ntdomain eap files # sql # etc_smbpasswd # ldap # daily # checkval pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam unix # Auth-Type LDAP { # ldap # } eap } preacct { preprocess acct_unique # IPASS suffix # ntdomain files } accounting { detail daily unix radutmp # sradutmp # main_pool # sql # sql_log # pgsql-voip } session { radutmp # sql } post-auth { # main_pool reply_log # sql # sql_log # ldap # Post-Auth-Type REJECT { # insert-module-name-here # } } pre-proxy { # attr_rewrite # files pre_proxy_log } post-proxy { post_proxy_log # attr_rewrite # attr_filter eap } -------------------------------------------------------- I still get the same results from the debug ______________ debug -------------------- rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149 NAS-Port-Id = "2/1" Calling-Station-Id = "00-0F-CB-FA-D4-63" Called-Station-Id = "00-18-6E-95-A2-C0:ELHC" Service-Type = Framed-User EAP-Message = 0x0201001401434e393030305c3533393836303637 User-Name = "CN9000\\53986067" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 10.219.157.232 Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log' rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "53986067", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry 53986067 at line 84 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 63 to 10.219.157.232 port 20000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 63 with timestamp 46f0d4b4 Nothing to do. Sleeping until we see a request. ---------------------------------------------------------------------------------------------------------------------------------------- if so, then i would be concerned by this int he debug:
> modcall: entering group authenticate for request 0 > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > rlm_eap: Failed in handler > modcall[authenticate]: module "eap" returns invalid for request 0 > modcall: leaving group authenticate (returns invalid) for request 0 > auth: Failed to validate the user. > Login incorrect: [53986067/<no User-Password attribute>] (from client > elhc-network port 0 cli 00-0F-CB-FA-D4-63) what are you doing with the User-Name and/or identity? you cant play with those packets as it breaks EAP. the debug also looks worryingly short. you should post the whole debug. also, HOW are you authenticating the users? you dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear very very much that you have some Auth-Type := EAP in yours users file or something worse! please post your config files. oh, and dont hurry, i'm certainly not demanding an urgent response. alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html