You haven't configured PEAP in eap.conf. You need to configure tls and peap sections. You will also need a server certificate and to export root certificate to XP clients (if you are signing them yourself). Read instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD integration before doing anything.
Ivan Kalik Kalik Informatika ISP Dana 30/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >Hello, > >I hate to ask this, but I'm running out of time on this project and I'm >completely new to RADIUS. I would be really happy if someone could just >point me to a detailed HOW TO for what I need. > >I have freeRADIUS set up with an external MySQL user database and it's >successfully authorizing requests from NTRadPing. > >Now I need to actually try it out "In the field". I need people running >XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL >database that I have set up. > >So far I'm not having any luck, and I don't mind saying that I'm a >little over my head at this point. Someone familiar with this will >probably see glaring problems. > >I will provide all the details I can think of, but please let me know if >you need more. > >Server: >FreeRADIUS 1.1.7 with MySQL module. > >Database: >Remote MySQL > >Access Point: >D-Link DWL-7100AP (Ciscos coming in January) >WPA-EAP >TKIP > >Client Laptop: >WPA Enterprise >TKIP >PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) >MS-CHAP-V2 (Other options: GTC, TLS) > > > > > > >I set up an AP to use RADIUS, and the requests get through to the RADIUS >server, but they always fail. Posted below is the debug output from the >failed attempt. > > >> Ready to process requests. >> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, >> length=193 >> Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 >> Service-Type = Framed-User >> User-Name = "testuser" >> Framed-MTU = 1488 >> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM" >> Calling-Station-Id = "00-1B-77-28-B3-CF" >> NAS-Identifier = "D-Link Access Point" >> NAS-Port-Type = Wireless-802.11 >> Connect-Info = "CONNECT 54Mbps 802.11a" >> EAP-Message = 0x0200000b01746261727468 >> NAS-IP-Address = 192.168.0.1 >> NAS-Port = 1 >> NAS-Port-Id = "STA port # 1" >> rad_lowerpair: User-Name now 'testuser' >> Processing the authorize section of radiusd.conf >> modcall: entering group authorize for request 0 >> modcall[authorize]: module "preprocess" returns ok for request 0 >> modcall[authorize]: module "chap" returns noop for request 0 >> modcall[authorize]: module "mschap" returns noop for request 0 >> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL >> rlm_realm: No such realm "NULL" >> modcall[authorize]: module "suffix" returns noop for request 0 >> rlm_eap: EAP packet type response id 0 length 11 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> modcall[authorize]: module "eap" returns updated for request 0 >> radius_xlat: 'testuser' >> rlm_sql (sql): sql_set_user escaped user --> 'testuser' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radcheck WHERE Username = 'testuser' ORDER BY id' >> rlm_sql (sql): Reserving sql socket id: 4 >> radius_xlat: 'SELECT >> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op >> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radreply WHERE Username = 'testuser' ORDER BY id' >> radius_xlat: 'SELECT >> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op >> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' >> rlm_sql (sql): Released sql socket id: 4 >> modcall[authorize]: module "sql" returns ok for request 0 >> rlm_pap: Found existing Auth-Type, not changing it. >> modcall[authorize]: module "pap" returns noop for request 0 >> modcall: leaving group authorize (returns updated) for request 0 >> rad_check_password: Found Auth-Type EAP >> auth: type "EAP" >> Processing the authenticate section of radiusd.conf >> modcall: entering group authenticate for request 0 >> rlm_eap: EAP Identity >> rlm_eap: processing type md5 >> rlm_eap_md5: Issuing Challenge >> modcall[authenticate]: module "eap" returns handled for request 0 >> modcall: leaving group authenticate (returns handled) for request 0 >> Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 >> Framed-Protocol := PPP >> Service-Type := Framed-User >> Framed-MTU := 1500 >> Framed-Compression := Van-Jacobson-TCP-IP >> EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385 >> Message-Authenticator = 0x00000000000000000000000000000000 >> State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 >> Finished request 0 >> Going to the next request >> --- Walking the entire request list --- >> Waking up in 6 seconds... >> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1, >> length=206 >> Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb >> Service-Type = Framed-User >> User-Name = "testuser" >> Framed-MTU = 1488 >> State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 >> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM" >> Calling-Station-Id = "00-1B-77-28-B3-CF" >> NAS-Identifier = "D-Link Access Point" >> NAS-Port-Type = Wireless-802.11 >> Connect-Info = "CONNECT 54Mbps 802.11a" >> EAP-Message = 0x020100060319 >> NAS-IP-Address = 192.168.0.1 >> NAS-Port = 1 >> NAS-Port-Id = "STA port # 1" >> rad_lowerpair: User-Name now 'testuser' >> Processing the authorize section of radiusd.conf >> modcall: entering group authorize for request 1 >> modcall[authorize]: module "preprocess" returns ok for request 1 >> modcall[authorize]: module "chap" returns noop for request 1 >> modcall[authorize]: module "mschap" returns noop for request 1 >> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL >> rlm_realm: No such realm "NULL" >> modcall[authorize]: module "suffix" returns noop for request 1 >> rlm_eap: EAP packet type response id 1 length 6 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> modcall[authorize]: module "eap" returns updated for request 1 >> radius_xlat: 'testuser' >> rlm_sql (sql): sql_set_user escaped user --> 'testuser' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radcheck WHERE Username = 'testuser' ORDER BY id' >> rlm_sql (sql): Reserving sql socket id: 3 >> radius_xlat: 'SELECT >> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op >> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radreply WHERE Username = 'testuser' ORDER BY id' >> radius_xlat: 'SELECT >> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op >> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' >> rlm_sql (sql): Released sql socket id: 3 >> modcall[authorize]: module "sql" returns ok for request 1 >> rlm_pap: Found existing Auth-Type, not changing it. >> modcall[authorize]: module "pap" returns noop for request 1 >> modcall: leaving group authorize (returns updated) for request 1 >> rad_check_password: Found Auth-Type EAP >> auth: type "EAP" >> Processing the authenticate section of radiusd.conf >> modcall: entering group authenticate for request 1 >> rlm_eap: Request found, released from the list >> rlm_eap: EAP NAK >> rlm_eap: EAP-NAK asked for EAP-Type/peap >> rlm_eap: No such EAP type peap >> rlm_eap: Failed in EAP select >> modcall[authenticate]: module "eap" returns invalid for request 1 >> modcall: leaving group authenticate (returns invalid) for request 1 >> auth: Failed to validate the user. >> Delaying request 1 for 1 seconds >> Finished request 1 >> Going to the next request >> Waking up in 6 seconds... >> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1, >> length=206 >> Sending Access-Reject of id 1 to 192.168.0.1 port 1030 >> EAP-Message = 0x04010004 >> Message-Authenticator = 0x00000000000000000000000000000000 > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html