2008/1/10, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > Hi, > > Hi, > > I can't still figure it out why I can't access from Linux clients. > > I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. > > what is the linux client config? > > i see the following in your debug > > rlm_eap: Request found, released from the list > rlm_eap: EAP/md5 > rlm_eap: processing type md5 > rlm_eap_md5: User-Password is required for EAP-MD5 authentication > rlm_eap: Handler failed in EAP/md5 > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 84 > modcall: leaving group authenticate (returns invalid) for request 84 > auth: Failed to validate the user. > > > i would also advise that you upgrade to 2.0.0 - not only could this > issue be resolves anyway - its a hell of a lof easier to debug - far > less EAP messages! > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >
Well, Finally I get the blessed "Access-Accept" for Linux clients too. How I did that? Well, I upgraded to radius 2.0.1. maybe it could be helpful for many people my settings, well I won't hide as alchemy secret ;) radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = xxx.qq.yyy.pp port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = no require_encryption = yes } ldap { server = "ldap.cadorna.biz" port = 636 identity = "cn=freeradius,ou=applications,dc=cadorna,dc=biz" password = sambombas basedn = "ou=people,dc=palermo,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_debug = 0x0028 tls_cacertfile = /etc/raddb/cacert.pem tls_randfile = /dev/urandom tls_require_cert = "allow" access_attr = "radiusAllowed" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess eap files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no md5 { } tls { certificate_file = /etc/pki/tls/certs/pepe.xp-crt.pem private_key_file = /etc/pki/tls/certs/pepe.xp-key.pem CA_file = /etc/pki/tls/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes copy_request_to_tunnel = no use_tunneled_reply = no } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } users: DEFAULT Ldap-UserDN = `uid=%{User-Name},ou=people,dc=cadorna,dc=biz` DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Enjoy ;) and thanks for your support!! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html