I dont know if its a Gnu Radius problem ... but I changed to "Freeradius" and all seems to work atm ....
What also made me change was when I read i havent been updated for 2 years ... so I also thought it might be a Vista problem ... // oUT On Wed, Mar 26, 2008 at 10:23 PM, Martin Laflamme <[EMAIL PROTECTED]> wrote: > Hi Mikael, > > I've had a similar issue before with straightfoward PPPoE authentication. > > Login incorrect [rrr/] > > Some users would log in and I would see something like you're seeing > above. I'd get them to retype their username and everything would be > fine. > > I'm not sure if gnu-radius chomps the username (remove any carriage > returns or spaces from usernames) but it almost looks like that was the > issue. > > Anyways... it's an idea. > > Martin > > > > > > Hi, > > > > I having problems getting my AP auth with my radius. Below are various > > information. > > > > Windows client: ( I'm trying to translate the danish ) > > WPA-Enterprise > > Encryption: TKIP > > Authentication method: PEAP ( the other one are chip or certificate ) > > Dont validate server certificate > > EAP-MSCHAP v2 ( Do not use windows logon name and password ) > > Under there are 3 check boxes all turned off .... > > > > So ... windows says this configuration is right and I get to type the > > username and password ... but It never gets to the RADIUS box, as you > > can see from the log files below .... > > > > If you need more information, I will happily supply it .... as I'm > > really lost here ... dont know if GNU Radius even are able to do it > > ... only time will tell, but I sure hope so :-) > > > > best regards > > Mikael Syska > > > > ---------------------- > > > > Here are some debug information: > > Debug from the Cisco AP: > > Mar 25 22:54:16.617: RADIUS/ENCODE(000000A1):Orig. component type = DOT11 > > Mar 25 22:54:16.617: RADIUS: AAA Unsupported Attr: ssid > > [263] 3 > > Mar 25 22:54:16.617: RADIUS: 6F > > [o] > > Mar 25 22:54:16.617: RADIUS: AAA Unsupported Attr: location-name > > [530] 4 > > Mar 25 22:54:16.617: RADIUS: 4F 45 > > [OE] > > Mar 25 22:54:16.618: RADIUS: AAA Unsupported Attr: interface > > [156] 3 > > Mar 25 22:54:16.618: RADIUS: 34 > > [4] > > Mar 25 22:54:16.618: RADIUS(000000A1): Storing nasport 412 in rad_db > > Mar 25 22:54:16.618: RADIUS(000000A1): Config NAS IP: 172.17.4.30 > > Mar 25 22:54:16.619: RADIUS/ENCODE(000000A1): acct_session_id: 161 > > Mar 25 22:54:16.619: RADIUS(000000A1): Config NAS IP: 172.17.4.30 > > Mar 25 22:54:16.619: RADIUS(000000A1): sending > > Mar 25 22:54:16.619: RADIUS(000000A1): Send Access-Request to > > 172.17.4.1:1812 id 1645/31, len 121 > > Mar 25 22:54:16.619: RADIUS: authenticator 63 B4 AE 27 0B BF 68 D1 - > > 8E C2 A9 74 03 17 D7 38 > > Mar 25 22:54:16.619: RADIUS: User-Name [1] 5 "rrr" > > Mar 25 22:54:16.620: RADIUS: Framed-MTU [12] 6 1400 > > Mar 25 22:54:16.620: RADIUS: Called-Station-Id [30] 16 > > "001e.be8e.03e0" > > Mar 25 22:54:16.620: RADIUS: Calling-Station-Id [31] 16 > > "001b.77d2.b10c" > > Mar 25 22:54:16.620: RADIUS: Service-Type [6] 6 Login > > [1] > > Mar 25 22:54:16.620: RADIUS: Message-Authenticato[80] 18 * > > Mar 25 22:54:16.621: RADIUS: EAP-Message [79] 10 > > Mar 25 22:54:16.621: RADIUS: 02 02 00 08 01 72 72 72 > > [?????rrr] > > Mar 25 22:54:16.621: RADIUS: NAS-Port-Type [61] 6 802.11 > > wireless [19] > > Mar 25 22:54:16.621: RADIUS: NAS-Port [5] 6 412 > > Mar 25 22:54:16.621: RADIUS: NAS-IP-Address [4] 6 > > 172.17.4.30 > > Mar 25 22:54:16.621: RADIUS: Nas-Identifier [32] 6 "ap30" > > Mar 25 22:54:16.624: RADIUS: Received from id 1645/31 172.17.4.1:1812, > > Access-Reject, len 39 > > Mar 25 22:54:16.624: RADIUS: authenticator 4C 71 B8 6A A3 15 51 B7 - > > B5 4A 93 69 64 84 49 1C > > Mar 25 22:54:16.624: RADIUS: Reply-Message [18] 19 > > Mar 25 22:54:16.625: RADIUS: 0D 0A 41 63 63 65 73 73 20 64 65 6E 69 > > 65 64 0D [??Access denied?] > > Mar 25 22:54:16.625: RADIUS: 0A > > [?] > > Mar 25 22:54:16.625: RADIUS(000000A1): Received from id 1645/31 > > > > Debug from the GNU Radius server: > > Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > > Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > > /usr/local/etc/raddb/users:14; hints:4 > > Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > > Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > > /usr/local/etc/raddb/users:14; hints:4 > > Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > > Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > > /usr/local/etc/raddb/users:14; hints:4 > > Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > > Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > > /usr/local/etc/raddb/users:14; hints:4 > > Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > > Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > > /usr/local/etc/raddb/users:14; hints:4 > > Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/] > > Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr" > > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace: > > /usr/local/etc/raddb/users:14; hints:4 > > > > Cisco config.txt: > > ! > > ! Last configuration change at 23:25:11 +0100 Tue Mar 25 2008 by Cisco > > ! NVRAM config last updated at 23:25:11 +0100 Tue Mar 25 2008 by Cisco > > ! > > version 12.3 > > no service pad > > service timestamps debug datetime msec > > service timestamps log datetime msec > > service password-encryption > > ! > > hostname ap30 > > ! > > no logging console > > enable secret 5 $1$2jwC$NHe..OkEaUL4fxHY22NDe0 > > ! > > clock timezone +0100 1 > > ip subnet-zero > > ip domain name foo.tld > > ip name-server 172.17.4.1 > > ! > > ! > > aaa new-model > > ! > > ! > > aaa group server radius rad_eap > > server 172.17.4.1 auth-port 1812 acct-port 1813 > > ! > > aaa group server radius rad_mac > > ! > > aaa group server radius rad_acct > > ! > > aaa group server radius rad_admin > > ! > > aaa group server tacacs+ tac_admin > > ! > > aaa group server radius rad_pmip > > ! > > aaa group server radius dummy > > ! > > aaa authentication login eap_methods group rad_eap > > aaa authentication login mac_methods local > > aaa authorization exec default local > > aaa accounting network acct_methods start-stop group rad_acct > > aaa session-id common > > ! > > dot11 ssid oma > > authentication open eap eap_methods > > authentication network-eap eap_methods > > authentication key-management wpa > > guest-mode > > ! > > ! > > ! > > username Cisco privilege 15 password 7 0005170B0D555B51 > > ! > > bridge irb > > ! > > ! > > interface Dot11Radio0 > > no ip address > > no ip route-cache > > ! > > encryption mode ciphers tkip > > ! > > ssid oma > > ! > > speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 > > basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 > > station-role root > > bridge-group 1 > > bridge-group 1 subscriber-loop-control > > bridge-group 1 block-unknown-source > > no bridge-group 1 source-learning > > no bridge-group 1 unicast-flooding > > bridge-group 1 spanning-disabled > > ! > > interface FastEthernet0 > > no ip address > > no ip route-cache > > duplex auto > > speed auto > > bridge-group 1 > > no bridge-group 1 source-learning > > bridge-group 1 spanning-disabled > > ! > > interface BVI1 > > ip address 172.17.4.30 255.255.255.0 > > no ip route-cache > > ! > > ip default-gateway 172.17.4.1 > > ip http server > > no ip http secure-server > > ip http help-path > > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > > ip radius source-interface BVI1 > > ! > > logging facility auth > > logging 172.17.4.20 > > access-list 111 permit tcp any any neq telnet > > snmp-server view dot11view ieee802dot11 included > > snmp-server community public view dot11view RO > > snmp-server location OEST > > snmp-server contact [EMAIL PROTECTED] > > snmp-server chassis-id ap30 > > radius-server attribute 32 include-in-access-req format %h > > radius-server host 172.17.4.1 auth-port 1812 acct-port 1813 key 7 > > 135647415A5F567978 > > radius-server vsa send accounting > > bridge 1 route ip > > ! > > ! > > ! > > line con 0 > > access-class 111 in > > line vty 0 4 > > access-class 111 in > > ! > > sntp server 83.221.136.68 > > sntp broadcast client > > end > > > > config from the radius server: > > # For detailed description, run: > > # info Radius config > > > > # usedbm no; > > > > option { > > # source-ip 172.17.4.1; > > max-requests 1024; > > resolve no; > > }; > > > > logging { > > prefix-hook "default_log_prefix"; > > channel default { > > file "radius.log"; > > print-category yes; > > print-level yes; > > }; > > channel info { > > file "radius.info"; > > print-pid yes; > > }; > > channel debug { > > file "radius.debug"; > > }; > > category auth { > > level high; > > print-auth yes; > > print-failed-pass yes; > > }; > > category info { > > channel info; > > }; > > category =debug { > > channel debug; > > }; > > category * { > > channel default; > > }; > > }; > > > > auth { > > #listen 172.17.4.1; > > #port 1645; > > trace-rules yes; > > max-requests 127; > > request-cleanup-delay 2; > > detail yes; > > # detail-file-name "=nas_name(request_source_ip()) + > > \"/detail.auth\""; > > strip-names yes; > > # checkrad-assume-logged yes; > > }; > > > > acct { > > max-requests 127; > > request-cleanup-delay 2; > > detail-file-name "=nas_name(request_source_ip()) + \"/detail\""; > > }; > > > > rewrite { > > load "checknas.rw"; > > load "log-hook.rw"; > > load "nas-ip.rw"; > > }; > > > > # snmp { > > # listen no; > > # }; > > > > users from the Gnu Radius: > > # For detailed description, run: > > # info Radius users > > > > > > ## The following entry is supposed to be used with authentication probe > > ## control. Please read `info --node 'Auth Probing' radius' for the > > detailed > > ## description of it > > DEFAULT Group = "*LOCKED_ACCOUNT*", > > Auth-Type = Reject > > Reply-Message = "Your account is currently locked.\n\ > > Please, contact your system administrator\n" > > > > > > ## Default entry. > > DEFAULT Auth-Type = Crypt-Local, > > Password-Location = SQL, > > Simultaneous-Use = 1 > > Service-Type = Framed-User, > > Framed-Protocol = PPP > > > > sqlserver from the radius server: > > Only changed a few things, like: > > doauth yes; > > user,pass,host,database so it can Auth, rest is default. > > > > > > _______________________________________________ > > Help-gnu-radius mailing list > > [email protected] > > http://lists.gnu.org/mailman/listinfo/help-gnu-radius > > > > > -- > Senior Network Security Analyst > CISSP, FCNSP, CCNP, CCDP, RCAS, CCAI > [EMAIL PROTECTED] > tel. 613.728.5504 > cell. 613-295-5504 > > Marketbridge Technologies, Inc. > 1066 Somerset St. West, Suite B-101 > Ottawa, ON, K1Y 4T3 > > > _______________________________________________ Help-gnu-radius mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnu-radius
