Hello! alan buxey <a.l.m.bu...@lboro.ac.uk> wrote:
> Hi, > > 1) you are getting an access-accept - which suggest the client is using the > values > you mention - that is 'miles' with 'davis45' as the password - hence you are > using PEAP or > PAP or somesuch and not EAP-TLS certificate I have no luck with this. I read in some articles to make an AP with Radius-Authentication, one should create cerificates with 'make all' in the certs-directory after editing the ca.cnf and server.cnf and copy the ca.pem to the client. Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend. > 2) your access-accept should mean that the client gets an address on the > network it is put > on via the AP - unless you havent got that bit configured right (VLAN or DHCP > server etc) - not > a FreeRADIUS issue I just attached the AP to eth0 accesible with 192.168.1.254, activated the DHCP-Server and tried to get authorization with a notebook using WPA-Enterprise and the ca.cert. I disabled sql now in the Radius-Server and get this, when I access from the notebool with TTLS and PAP: rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=3, length=159 User-Name = "christiane" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-D9-9B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000f0163687269737469616e65 Message-Authenticator = 0x63fa52067e6106e6299499e8e42249ee +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "christiane", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry christiane at line 95 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.1.254 port 2048 EAP-Message = 0x010100160410cde74bbeeec3a19a037d5b4fe57f4c97 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4fb74330423119a23041222a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=4, length=168 User-Name = "christiane" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-D9-9B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060315 State = 0x4fb647db4fb74330423119a23041222a Message-Authenticator = 0x64f323aa1f0f8335cc75e1ec3690a536 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "christiane", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry christiane at line 95 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.1.254 port 2048 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4eb45230423119a23041222a Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 3 with timestamp +130 Cleaning up request 3 ID 4 with timestamp +130 Ready to process requests. But I do not get a lease from the AP. > 3) clients dont use ca.pem to authentication using certificates - clients get > their own client cert Strange, where can I read about this? > 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords > is wrong Ok, disabled SQL and made entries in the users file. miles<->Cleartext-Password := "davis45" christiane<---->Cleartext-Password := "chr17!" > > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security > fixes. allright, will do that if I can see some land in this ocean > > alan Thank you for your help with this! I am a bit lost. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html