Sorry for sending this message twice, but I forgot the debug output. --- Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge. That is why I tried to create the challenge with the help of the perl module. Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!?
sub authenticate { # For debugging purposes only &log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } else { # send the challenge $RAD_REPLY{'State'} = "challenge"; $RAD_REPLY{'Reply-Message'} = "challenge: "; $RAD_CHECK{'Response-Packet-Type'} = "Access-Challenge"; return RLM_MODULE_HANDLED; } } If I'm not completely wrong, it's the same that worked for this guy: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47425.html But the server doesn't send the reply to the client (Timeout at clientside) rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 User-Name = "radius" NAS-IP-Address = 10.0.1.131 CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "radius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry radius at line 52 modcall[authorize]: module "files" returns ok for request 0 perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1 found interpetator at address 0xb809a5f0 rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb809a5f0 modcall[authorize]: module "perl" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type "Perl" Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 perl_pool: item 0xb8181050 asigned new request. Handled so far: 1 found interpetator at address 0xb8181050 rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131 rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a rlm_perl: RAD_REQUEST: User-Name = radius rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131 rlm_perl: RAD_REPLY: Reply-Message = challenge: rlm_perl: RAD_REPLY: User-Password = pass rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair Reply-Message = challenge: rlm_perl: Added pair User-Password = pass rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb8181050 modcall[authenticate]: module "perl" returns handled for request 0 modcall: leaving group Perl (returns handled) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 Discarding duplicate request from client localhost:57004 - ID: 7 --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 Discarding duplicate request from client localhost:57004 - ID: 7 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 7 with timestamp 49a4220b Nothing to do. Sleeping until we see a request. If this makes sense to somebody, I would be thankful for an advice :-) Regards, Ronny -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+voigt=bi-web...@lists.freeradius.org [mailto:freeradius-users-bounces+voigt=bi-web...@lists.freeradius.org] Im Auftrag von t...@kalik.net Gesendet: Dienstag, 24. Februar 2009 00:07 An: FreeRadius users mailing list Betreff: Re: trigger an Access Challenge >I want to test a radius client with the freeradius server. Access >Requests and Replies works fine, but although I searched this mailing >list and several websites I still have no idea how to trigger an Access >Challenge. It would be very nice, if somebody could tell me how I have >to configure freeradius, so that it sends an access challenge to my >client. > Send a request for an authentication protocol that requires multiple server-client exchanges (like EAP). If server needs more information from the client it will respond with the challenge. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html