Hi, i am trying to setup radius auth for my AP.
i've followed wiki instructions and it must be i overseen something my session printout and config files are below. I need your expert help with this one. Have anyone seen this kind of behaviour? br, jura root@zgpc-radius:~# /usr/sbin/freeradius -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 19 2011 at 15:42:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "Holly shit your password is bad!" } security { max_attributes = 200 reject_delay = 3 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "0123456789ABCDEF" nastype = "other" } client 192.168.113.0/24 { require_message_authenticator = no secret = "0123456789ABCDEF" shortname = "BLMOVI" } client 10.222.72.0/24 { require_message_authenticator = no secret = "0123456789ABCDEF" shortname = "ONTOVI" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_always Module: Instantiating module "ok" from file /etc/freeradius/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "authorized_macs" from file /etc/freeradius/modules/files files authorized_macs { usersfile = "/etc/freeradius/authorized_macs" compat = "no" key = "%{Calling-Station-ID}" } Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=26, length=143 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = "1.1" Framed-MTU = 1024 User-Name = "64-31-50-81-CB-2F" Calling-Station-Id = "64-31-50-81-CB-2F" Message-Authenticator = 0x55e71eef2d8919739367e5026db3bc16 EAP-Message = 0x020200110167706f6e2d48505c67706f6e NAS-Identifier = "BLM12" Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [eap] EAP packet type response id 2 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) (Attribute Service-Type was not found) ?? Evaluating (Service-Type == 'Call-Check') -> FALSE expand: ^%{Calling-Station-ID}$ -> ^64-31-50-81-CB-2F$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE ++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) -> TRUE ++- entering if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns updated ++- if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) returns updated Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Failed to authenticate the user. expand: Crap your password is bad! -> Crap your password is bad! Login incorrect: [64-31-50-81-CB-2F/<via Auth-Type = EAP>] (from client ONTOVI port 0 cli 64-31-50-81-CB-2F) Holly shit your password is bad! Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Delaying reject of request 0 for 3 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=26, length=143 Waiting to send Access-Reject to client ONTOVI port 65534 - ID: 26 Waking up in 1.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 26 to 10.222.72.112 port 65534 rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=26, length=143 Sending duplicate reply to client ONTOVI port 65534 - ID: 26 Sending Access-Reject of id 26 to 10.222.72.112 port 65534 Waking up in 4.9 seconds. Cleaning up request 0 ID 26 with timestamp +43 Ready to process requests. ---------------------------------------------------------------------------- root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' ../clients.conf client localhost { ipaddr = 127.0.0.1 secret = 0123456789ABCDEF require_message_authenticator = no } client 10.222.72.0/24 { secret = 0123456789ABCDEF shortname = ONTOVI require_message_authenticator = no } ----------------------------------------------------------------------------- root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' ../radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "Crap your password is bad!" } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 3 status_server = yes } proxy_requests = no $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ root@zgpc-radius:/etc/freeradius/sites-enabled# --------------------------------------------------------------------------- root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' ../policy.conf policy { forbid_eap { if (EAP-Message) { reject } } permit_only_eap { if (!EAP-Message) { if (!"%{outer.request:EAP-Message}") { reject } } } deny_realms { if (User-Name =~ /@|\\/) { reject } } do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } cui_authorize { update request { Chargeable-User-Identity:='\\000' } } cui_postauth { if (FreeRadius-Proxied-To == 127.0.0.1) { if (outer.request:Chargeable-User-Identity) { update outer.reply { Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } else { if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } } cui_updatedb { if (reply:Chargeable-User-Identity) { cui } } cui_accounting { if (!Chargeable-User-Identity) { update control { Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" } } if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { cui } } rewrite_calling_station_id { if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } } else { noop } } } ------------------------------------------------------------------------------------------------------ root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' /etc/freeradius/eap.conf eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } } -- View this message in context: http://freeradius.1045715.n5.nabble.com/webauth-and-macauth-tp5703328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html