Alan DeKok wrote: > Nicolas Boullis wrote: > >>I'm currently in the process of switching from an old freeradius 1.1.6 >>to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). > > Why not 2.1.6?
No good reason for this, only that current Debian stable (Lenny) has packages for 2.0.4, not 2.1.6. (And since administration of radius servers is only a small part of my work, I'd rather rely on Debian packages and Debian security team than track the potential security issues of all the server softwares that I use.) >>Hence, I thought I would use the hints file to force EAP-Type (the good >>news is that I can recognize the IP phones with their username): >>CP-7942G-SEP0024C4BE96B7 >> EAP-Type = MD5-Challenge >> >>But this apparently does not work. > > It's a *configuration* item, not a reply item. See "man users" > > ... > CP-7942G-SEP0024C4BE96B7 EAP-Type := MD5-Challenge > ... > > That will work. Unfortunately, it does not, freeradius still tries TLS (PEAP?): # freeradius -X (...) Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 138.195.254.246 port 1645, id=21, length=181 User-Name = "CP-7942G-SEP0024C4BE96B7" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1F-6D-11-DD-98" Calling-Station-Id = "00-24-C4-BE-96-B7" EAP-Message = 0x0203001d0143502d37393432472d534550303032344334424539364237 Message-Authenticator = 0xad86f0122944a370ac2bc487e0b292a4 NAS-Port-Type = Ethernet NAS-Port = 50024 NAS-Port-Id = "FastEthernet0/24" NAS-IP-Address = 138.195.254.246 +- entering group authorize hints: Matched CP-7942G-SEP0024C4BE96B7 at 78 ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 expand: %t -> Thu Jul 2 11:51:53 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "CP-7942G-SEP0024C4BE96B7", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry CP-7942G-SEP0024C4BE96B7 at line 135 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 21 to 138.195.254.246 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0c5d17fe0c1c8f39eb404d78a61b99b Finished request 0. Going to the next request Waking up in 4.9 seconds. Note the "hints: Matched CP-7942G-SEP0024C4BE96B7 at 78" and "rlm_eap: processing type tls". (... a few minutes later ...) I just tried to set EAP-Type in users rather that in hints, and now it works fine. Thanks! But why does it work in users and not in hints? (I thought I had to use hints because it is run before eap in the authorize section...) Cheers, -- Nicolas Boullis Ecole Centrale Paris France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html