On 2009-Apr-29, at 10:26, jehan procaccia wrote:
hello,
I use FreeRADIUS Version 2.1.3, and I try a basic configuration from
my HP procurve2650 to do Mac-based radius auth.
for this I've setup a simple users file
005004B7252E Auth-Type := Local, Cleartext-Password :=
"005004B7252E"
Tunnel-type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 15
First ,it isn't clear to me wether to user Cleartext-Password or
User-Password and == ou := , and "" or no "" around the
password ...!? ,
anyway, with Cleartext-Password it works fine with radtest at least
$ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret
rad_recv: Access-Accept packet from host 157.159.100.55 port 1812,
id=81, length=36
Now when my HP switch tries to auth my PC which has 005004B7252E as
MAC@ for it's eth0, apparently the HP sends a chap password
CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
with turns radius into it's chap module and fails to Authenticate :-(
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
I'am lost. I don't know If I have to set a chap password in "users"
files or anywhere else ? (how, syntax ?)
or if I have to tell my HP switch not to do chap (again how ?)
Thanks .
details of radius -X
rad_recv: Access-Request packet from host 157.159.17.138 port 1125,
id=8, length=195
Framed-MTU = 1480
NAS-IP-Address = 157.159.17.138
NAS-Identifier = "Sw-C01"
User-Name = "005004B7252E"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 26
NAS-Port-Type = Ethernet
NAS-Port-Id = "26"
Called-Station-Id = "00-1c-2e-b4-f2-66"
Calling-Station-Id = "00-50-04-b7-25-2e"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/
auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.17.138/auth-
detail-20090429
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-
%Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth-
detail-20090429
[auth_log] expand: %t -> Wed Apr 29 17:28:16 2009
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL
[suffix] No such realm "NULL"
Uncomment and edit your proxy.conf file for the NULL realm :
...
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
secret = testing123
}
...
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 005004B7252E
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 8 to 157.159.17.138 port 1125
Waking up in 4.9 seconds.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
