Hello,
i have a problem with my freeradius 2.1.10.
I try to use PEAP and MSCHAPv2 to authenticate my wireless client
against radius and ldap. The client is a Windows XP Proffesional and
configuered to use "protected EAP(PEAP)" for the wireless network.
On the radius servers console the following debug output is shown. It
seems that the radius wants to use tls instead of peap, but the client
don't have a client-certificate because EAP-MSCHAP v2 should be used.
The amazing thing is, this radius server is a vm-clone from an other
radius, but the other radius works fine.
Debug Output:
rad_recv: Access-Request packet from host ... port 32769, id=219, length=159
User-Name = "xy"
Calling-Station-Id = "..."
Called-Station-Id = "..."
NAS-Port = 1
NAS-IP-Address = ...
NAS-Identifier = "T:WLC2125"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000b01737461646572
Message-Authenticator = 0xe5b0ffbed84243bf27ac1ac9c9fcd0b5
server eduroam {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam
+- entering group authorize {...}
[suffix] No '@' in User-Name = "xy", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 219 to ... port 32769
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3abc7e1c3abf6764392496688aff7b3f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ... port 32769, id=219, length=159
Sending duplicate reply to client WLC-TUT port 32769 - ID: 219
Sending Access-Challenge of id 219 to ... port 32769
Waking up in 2.0 seconds.
Cleaning up request 0 ID 219 with timestamp +3
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
certdir = /etc/hostcertkey
cadir = /etc/cacert
dh_file = ${certdir}/dh
private_key_file = ${certdir}/roaming.key
certificate_file = ${certdir}/roaming.pem
CA_file = ${cadir}/chain.txt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
#use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
#use_tunneled_reply = yes
#proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
--
Mit freundlichen Grüßen,
Jürgen Stader
Rechenzentrum
Hochschule Furtwangen
www.hs-furtwangen.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
