Hi Everyone I have set up a freeRadius in Ubuntu server 10.0.4. I also set up a Cisco switch as a NAS and enable 802.1x in the switch port. I used the configuration first (clients.conf, users). The 802.1x authentication just works fine.
Then I start to use mySql database, instead of clients.conf and users. I followed the instructions from this link http://wiki.freeradius.org/SQL_HOWTO. I use the "radtest" command to test the username/password. It works fine. Then I use the Cisco switch to test the username/password and NAS, it also works fine. But the 802.1x authentication does not work. Here is the output from "freeradius -X" Ready to process requests. rad_recv: Access-Request packet from host 10.5.84.14 port 1645, id=213, length=265 User-Name = "anonymous" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1A-6C-79-7F-89" Calling-Station-Id = "00-18-8B-B2-74-CE" EAP-Message = 0x0207006b190017030100603436ac7bdf2130158ce653dea69c9c5c155d4a677f8bf6a3330838e2ca749c29c00d7fef558443728826479cb9dbd75b4e3fc4e62b27ecc64a942b06784ae85df1499325a9c927f9e0de86a9989d7349874019e3a286ebb4ab95347d704aaf79 Message-Authenticator = 0x8a020beb0674cb778f3feb2400792a88 NAS-Port-Type = Ethernet NAS-Port = 50107 NAS-Port-Id = "FastEthernet1/0/7" State = 0xc7b0e155c2nt (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0A05540E0000005E17970995b7f81cdb855c0280b00b4a NAS-IP-Address = 10.5.84.14 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94e0000000000000000d2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038 server { PEAP: Setting User-Name to 83008 Sending tunneled r 020358: Nov 17 11:41:28.199 PST: %AUTHMGR-5-FAIL: Authorization failed for client (0018.8bb2.74ce) on Interface Fa1/0/7 AuditSessionID 0equest EAP-Message = 0x020700401a0207003b31c49dddfb7a41c1b1af6d0248706af94e0000000000000000d2f582ba4490575f7f0c78eb1e81b3dc81c41b0cb19cfc81003833303038 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "83008" State = 0xe741fb76e746e148ba5c58c22edbac30 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "83008", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- enA05540E0000005E17970995tering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for 83008 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. 83008 is my user id. Why it tries to use MSCHAP module and use NT-Password ? Here is the fradius database information in mySql. mysql> show tables; +-------------------+ | Tables_in_fradius | +-------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +-------------------+ 8 rows in set (0.00 sec) mysql> select * from nas; +----+------------+------------------+-----------------+-------+--------+-----------+---------------+ | id | nasname | shortname | type | ports | secret | community | description | +----+------------+------------------+-----------------+-------+--------+-----------+---------------+ | 2 | 10.5.84.14 | lab-3750b | cisco | NULL | spl00t | NULL | RADIUS Client | +----+------------+------------------+-----------------+-------+--------+-----------+---------------+ 1 row in set (0.00 sec) mysql> select * from radcheck; +----+----------+--------------------+----+------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+------------+ | 1 | sqltest | Password | == | testpwd | | 2 | 83008 | Cleartext-Password | := | testing123 | +----+----------+--------------------+----+------------+ 2 rows in set (0.00 sec) mysql> select * from radreply; +----+----------+--------------+----+-------------------+ | id | username | attribute | op | value | +----+----------+--------------+----+-------------------+ | 2 | 83008 | cisco-avpair | = | shell:priv-lvl=15 | +----+----------+--------------+----+-------------------+ 1 row in set (0.00 sec) The other tables is empty. Thank to take a lootk
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
