I have a Ruckus ZoneDirector 1025 with waps that I just installed.
Testing out different EAP types I can use. I am using FreeRadius 2.1.3.
I have eap-ttls and eap-peapv0 working perfectly (I am using windows to
control the wireless card for peap and it works great). Was going to try
eap-tls by assigning client certificate to the machine account so the
computer account authenticates on the wireless and then the user can log
into the domain. I did this and get errors. It kind-of looks to me that
the Zone Director is not sending the correct eap message for eap-tls.
Maybe someone could point me in the right direction. Also, something is
putting host/ in front of the User-Name field. In the certificate, I
have the common name as joshhiner not host/joshhiner. Wonder if the zone
director is mangling eap? Also, the wireless card is a mini-pci broadcom
in a compaq 6710b.
Thanks -Josh
Error:
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=186, length=192
User-Name = "host/joshhiner"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 2
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-21-00-41-AE-4F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001301686f73742f6a6f736868696e6572
Message-Authenticator = 0x5a46b20a893c5d940dfacf2c35c1bd83
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/joshhiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/joshhiner", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/joshhiner
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 186 to 172.17.10.108 port 1027
Waking up in 4.9 seconds.
Cleaning up request 2 ID 186 with timestamp +373
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
