Alan DeKok wrote:
jehan procaccia wrote:
hello,
I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my
HP procurve2650 to do Mac-based radius auth.
for this I've setup a simple users file
005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E"
Delete the "Auth-Type := Local". It doesn't do anything useful.
OK done
First ,it isn't clear to me wether to user Cleartext-Password or
User-Password and == ou := , and "" or no "" around the password ...!? ,
anyway, with Cleartext-Password it works fine with radtest at least
The example in the FAQ and in the "users" file do NOT have Auth-Type.
They DO use Cleartext-Password, and they DO use ":=".
All of the third-party web sites, FAQs, etc. are 2-3 years out of
date, and are wrong.
Indeed I was "googleling" for exemples ...
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
That says it doesn't have the Cleartext-Password.
...
[files] users: Matched entry DEFAULT at line 172
So... what's at line 172? Where is the "users" file entry you added?
line 172 was
DEFAULT Framed-Protocol == PPP
I moved Up my user entry at the top of the user files and now it seems
to work :-)
Athough I didn't set any chap password anywhere in freeradius !?
(perhaps because of this from http://wiki.freeradius.org/HP
/Note: A hashed version of the SRC address is also available in the
CHAP-Password attribute.) ?/
rad_recv: Access-Request packet from host 157.159.7.138 port 1125,
id=13, length=195
Framed-MTU = 1480
NAS-IP-Address = 157.159.7.138
NAS-Identifier = "Sw-C01"
User-Name = "005004B7252E"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 26
NAS-Port-Type = Ethernet
NAS-Port-Id = "26"
Called-Station-Id = "00-1c-2e-b4-f2-66"
Calling-Station-Id = "00-50-04-b7-25-2e"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x0ccbeba82a75e0762efbf021c72bd5c45a
Message-Authenticator = 0x3eae4885821478bc7bbcf7e45618c453
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/157.159.7.138/auth-detail-20090429
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/157.159.7.138/auth-detail-20090429
[auth_log] expand: %t -> Wed Apr 29 19:05:06 2009
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry 005004B7252E at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Using clear text password "005004B7252E" for user 005004B7252E
authentication.
[chap] chap user 005004B7252E authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 13 to 157.159.7.138 port 1125
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "15"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 13 with timestamp +37
Ready to process requests.
My PC client isn't is the Vlan15 though .. it's getting late here in
france ... I'll continue tomorrow ...
thanks .
The FAQ says to add it at the TOP of the "users" file. That works
best for testing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
