Re: Querry on localhost testing

[Tom Emerson]

In his inimicable (?) style, Alan DeKok wrote:
> "Rudramuni PH" <[EMAIL PROTECTED]> wrote:
> > Full Debug in formation
> ...
> Go back and read it.  The answer to your question is in the
> debug log you posted to the list.

Alan, to you it is insanely obvious, to a first timer reading hundreds of 
lines of "potentially" useful output, the critical bits are "buried in the 
noise" -- would it have really taken that long for you to say:

> Full Debug in formation
[...]
> rad_recv: Access-Request packet from host 127.0.0.1:1025, id=152, length=57
[...]
>   User-Name = "rudra"
>   User-Password = "rudra"
>   NAS-IP-Address = 255.255.255.255
>   NAS-Port = 10

This [hopefully obvious] section shows you what the server parsed out of the 
request

> users: Matched DEFAULT at 152

This important line tells you what the server believes to be the "user" to be 
validated

[...]
>   rad_check_password:  Found Auth-Type System

this important line tells us that we'll be looking up the user in the 
/etc/passwd file, i.e., we expect the user to be a regular user of the linux 
server itself

>   modcall[authenticate]: module "unix" returns notfound
> modcall: group authenticate returns notfound
> auth: Failed to validate the user.

and as you might imagine, we don't find a user called "rudra" in the system.

Things to check: [ok alan, this is where it gets subjective, and I'm sure for 
you overly repetitive -- NOW you can refer someone to a FAQ (if it's in 
there) and specifically WHERE in the FAQ to start looking]

  -- the conf file to figure out why the wrong authentication method was being 
used [i.e., "system"]
  -- the user's file to figure out why the user "rudra" wasn't found/matched
  -- any databases in use? properly configured? right "op" values?

Not the exact answer, but some directions for someone new to this to start 
looking...
-- 
Yet another Blog: http://osnut.homelinux.net


pgp0.pgp
Description: signature

RE: NAS under Linux with iptables.

[Brynjar Hauksson]

Look at www.nocat.net

It uses iptables to control access, and can be connected to freeradius




Kveðja / Best regards / ด้วยความคิดถึง
Brynjar Hauksson
ICQ#  15512204

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rio Martin.
Sent: Monday, August 11, 2003 12:20 PM
To: [EMAIL PROTECTED]
Subject: NAS under Linux with iptables.

Dear all,
I build and run Freeradius-0.9.0 under my Linux-2.4.21
The plan is i want to build NAS under Linux with iptables under the same 
machines, together with the FreeRadius server. Please let me know if there is 
anyone in this list know somekind of tools used to build NAS under Linux with 
iptables.

Thanks ..
Regards,
Rio Martin.
-- 
Violence is the last refuge of the incompetent.
-- Salvor Hardin


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Newbie - need help urgently, help appreciated

[Alan DeKok]

Lee Puay Yong <[EMAIL PROTECTED]> wrote:
> 1.Does freeradius support LEAP authentication against ldap
> database.

  No.

> I tried to set authorize to LDAP and authentication to EAP but no
> progress so far (maybe I missed somthing). It will be nice if
> someone can send me a wokring copy of the radiusd.conf and the users
> file.

  If you can configure the server to do PAP authentication by using
LDAP for 'authorize', and NOT using LDAP for 'authenticate', then that
should also work for LEAP.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Authentification Problem

[Atanu Das]

Hi Serg
- Original Message - 
From: "Serg Shipaev" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 06, 2003 1:44 PM
Subject: Re: FreeRadius Authentification Problem


> Serg Shipaev wrote:
> 
> That's a trouble:
> secret keys in clients, clients.conf and in NAS server are the same!
> 
> I think that's a trouble of MS-CHAP (MD5 I think) authentification.
> The NAS client is a software of Cisco VoIP gateway type.
> 

what about the naslist file?

Atanu Das,
S S NetCom Pvt. Ltd.
Shillong
http://www.ssnetcom.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Authentification Problem

[Alan DeKok]

Serg Shipaev <[EMAIL PROTECTED]> wrote:
> Yes, I see it.
> But, I meant authentification process for NAS, not for any client of 
> this NAS.

  NASes are never authenticated.

> As I understand, of RADIUS authentification process,
> the 1-step is check NAS,
> then aaa for client of this NAS.

  Can you say where you got this idea from?  The RADIUS RFC's say
nothing about that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: caller id ?

[Fenn Bailey]

> 
> check your detail files for Called-Station-Id
> 
> If you dont have the information in the detail files, then your NAS is
> not sending the information, may be because the lines attached are not
> configured to get called-id
> 

Actually, I think he means the detail stored in 'Calling-Station-Id':

Called-Station-Id: The number called by the client to connect to the NAS
(eg: The ISPs number)
Calling-Station-Id: The number of the client themselves.

Either way, the NAS/telephone system needs to be configured to provide all
these things before you can even worry about them in RADIUS.

Fenn.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CHAP - NT-Domain authentication

[Klinger Christian]

Hello List

I know there is a often discussed question! -sorry
;-))

But do you see any chance to authenticate with chap on a 
NT-Domain. 

- Maybe with a batch to export the passwords as cleartext!
- Or with a domain - ldap configuration

I don´t know

Are the any tool´s (URL) which export the NT-Domain passwords in 
cleartext?

thx christian


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication, Authorization process

[Bush Ng]

Hello,

In FreeRADIUS, authorization is done before authentication. Is that a
proper sequence regarding the standard RADIUS concept?

For example, when a user mistypes the password, FreeRADIUS still send
out the attributes to RADIUS client. Would that be an issue (ie,
security, loading, ...)?

Best Regards,
Bush


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unknown Problem

[Alan DeKok]

"Jason Coutermarsh" <[EMAIL PROTECTED]> wrote:
> I'm using freeRadius with a Netgear ME103 wireless access point. I have
> the latest CVS build (as of Aug 8 afternoon). I first get an
> Access-Accept, and then it just seems to keep sending challenges. I
> can't find any errors in the log, so I don't know what to search for
> through the archives. Does anyone have any idea what's going on?

  The AP and/or the wireless client don't like the Access-Accept.
The only way to solve the problem is to figure out *why* they don't
like it.  And there's little to nothing you can look at on the server,
to debug problems with the AP/client.

  With the wireless clients I've used, I sometimes see it
authenticate, wait ~3 seconds, and try again.  The second time always
succeeds.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: checkrad always returning 0? --

[Evren Yurtesen]

well what I would do is printing something else to test if the checkrad 
script is working until there. like
print("hello");

:) and then just before
$telnet->print("list connections");
you can put like
sleep(60);
so it will sleep 60 seconds
so you can see if your user is already inside this netserver thing :) 
never seen one so...if its not there then you can be sure that checkrad 
is having trouble. If the user is not there but hello prints then
you will know there is a problem with the telnet connection.

you can not print $curline because its an array...
you can try
foreach $line (@curline) {
   print($line);
}
this would print each element of the currline array
so after you test these you can return back to me :)
by the way my icq number is 913003 if you would prefer that.
well I just canceled my previous email after I pressed send because 
there was a semicolon missing after print :) just be careful...

Evren

Ray wrote:

On Wednesday 06 August 2003 23:44, you wrote:

did you realize these?
# uncomment this if you use the standard
# prefixes
#$user =~ s/^[PSC]//;
#$user =~ s/\.(ppp|slip|cslip)$//;
we aren't using prefixes as far as i know.


you can perhaps put
print($user);
right after these and you should see all the users in the nas
from the output also you might figure out what is wrong
dont put it inside the if clause though :)
well you can let us know what you get?


tried putting a print $user in different places, and for some reason they 
don't print anything.  but then i don't know perl, so i might be doing this 
wrong too.  

while ($curprompt ne "\>") {
($curline, $curprompt) = $telnet->waitfor
( String => "\>",
 Timeout => 10);
$ok = $telnet->print("");
push @curlines, split(/^/m, $curline);
print($curline);
}
...
#
# Check to see if $user is already connected
#
print($user);
if ($user eq $ARGV[3]) {
and i modified the print statement about user not found just to make sure i'm 
editing the correct module and file.  (and i am)


what does the output of
list connections
command look like?
HiPer>> list connections

CONNECTIONS

Start   Start
IfName  User Name   Type   DLL  DateTime
slot:1/mod:1jd613   DIALIN PPP  06-AUG-2003 13:58:58  
slot:1/mod:2david   DIALIN PPP  06-AUG-2003 08:50:36  
slot:1/mod:3allonmy DIALIN PPP  06-AUG-2003 11:03:46  


Ray wrote:

On Wednesday 06 August 2003 22:13, you wrote:

for one thing, download latest release 0.9 something and try the
checkrad which comes inside...
then did you set etc/clients.conf and etc/naspasswd ? what did you set ?
the important thing is nastype login and password ...
what kind of nas do you have? etc. if you use snmp, did you try to see
manually if you can connect to nas? do you have ucd snmp...
and blah blah, and if you use telnet is Net::Telnet installed? perl
module...
etc/clients.conf and etc/naspassword are setup, but since i'm only
calling checkrad manually at this point, only the naspassword file has
any affect. i was getting an error about bad password before setting up
naspassword, but the error message and documentation already got me past
that problem.
nas: i'm told it is USR/Total Control, but when i manually telnet into it
and mimic the commands of the tc module, it doesn't do what it should. 
but the commands in the module for netserver are correct, so i'm using
that. as for Net::Telnet, it is installed (3.02)
snmp isn't being used since i'm not using a nas that checkrad needs snmp
for, i'm not sure which version of snmp i have, but it doesn't seem like
that would matter in this case where the modules are using telnet to
check the nas.


Ray wrote:

trying to setup Simultaneous-Use and it is working so far, but i haven't
succesfully setup checkrad with it.
using freeRadius 0.8.1

checkrad -d netserver xx.xx.xx.4 366 user 22544538
and it keeps outputting
Returning 0 (login ok)
even when the user is on.
i'm using MySQL for accounting and using
NASIPAddress NASPortId UserName AcctSessionId

from radacct for the paramaters to test checkrad

what should i check or change to get that working?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Querry Regarding Radius server running

[Rudramuni PH]

Hi oliver

Thanks for u r advice .. Sorry for sending again and again same querry
can u tell me how to uninstall the free-radius from the linux

regards
rudra


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

What is the minimal attributes that must be in START, INTERIM UPDATE and STOP packets

[Aime]

Hello, 
I have no hardware NAS.
I am just writing a radius client in Perl, and i am
wondering what the radius server is expecting as
minimal attributes in check items to honour STOP ,
INTERIM UPDATE AND STOP accounting request



--- Peter Nixon <[EMAIL PROTECTED]> wrote:
> On Fri August 8 2003 01:10, Aime wrote:
> >  Hello All,
> >
> >  What are the minimal attributes to use to issue
> >  START , INTERIM UPDATE and STOP radius packet ?
> 
> This is set on your NAS. Read the documentation for
> your NAS and it shoudl 
> tell you how to enable these features.
> 
> -- 
> 
> Peter Nixon
> http://www.peternixon.net/
> PGP Key: http://www.peternixon.net/public.asc
> 
> 
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR SQL flexibility

[Sinisa Burina]

Hello!

Is it possible, or could it be possible in the future to have users authenticated 
against different SQL tables/databases, optionally wven with different queries, 
depending on values of auth request attributes? Some way of dynamic definition of 
currently statically defined SQL queries and table names would really enhance the 
overall functionality and flexibility. For example, in my company's wireless 
environment, I'd like to have two kinds of authentication - MAC and VPN, and instead 
of having two separate radius servers it would be much nicer to have just two 
different tables (one with MAC addresses and the other with VPN usernames/passwords) 
and to chose appropriate table based on, say, NAS-IP-Address attribute.

--
Best Regards,
Sinisa Burina




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Linux Freeradius-.0.9.0 and Enterasys compatibility

[Arthur Palmer]

[EMAIL PROTECTED] wrote:
> already accept-request, but It is still prompting for username and
> password. I think I have to put the attribute which is
> "Enterasys:mgmt=su:policy=admin" somewhere. Could you advise me where
to
> put this attribute? I guess it makes sense if I put this in either
> clients.conf or users file, but not sure what the command is.


Hi Kiki,

I´ve got an Enterasys (Cabletron SmartSwitch 6000) running with the
following (example) entry in the users file:

Reader  Auth-Type := Local, User-Password == "readpass"
Filter-Id = "Enterasys:version=1:mgmt=ro"

Writer  Auth-Type := Local, User-Password == "writepass"
Filter-Id = "Enterasys:version=1:mgmt=rw"

admin   Auth-Type := Local, User-Password == "adminpass"
Filter-Id = "Enterasys:version=1:mgmt=su"


maybe it´s the entry you need...

Regards,
Arthur


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Debian compilation problems

[Paul Hampson]

> From: Nicolas Baradakis
> Sent: Thursday, 7 August 2003 7:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Debian compilation problems

> Jan Berkel wrote:
> > Sevcik Berndt wrote:
> > > checking for dbm_open in -lgdbm_compat... yes
> > > configure: warning: FAILURE: rlm_dbm requires:  (libndbm or libgdm).
> > > configure: error: set --without-rlm_dbm to disable it explicitly.
> > > configure: error: ./configure failed for src/modules/rlm_dbm
> > 
> > this happens when using a new version of libgdbm (libgdbm3), but 
> > apparently on some systems the package builds ok (if an old version is 
> > still installed and hasn't been removed).
> > 
> > try changing line 70 in src/modules/rlm_dbm/configure.in:
> > - if test "x$ac_cv_lib_gdbm_dbm_open" != "xyes"; then
> > + if test "x$ac_cv_lib_gdbm_compat_dbm_open" != "xyes"; then
> 
> ... and after that run autoconf to generate a correct configure
> script.
> 
> It's the second time the problem shows up on the mailing lists, it
> would be nice if a maintainer of freeradius corrects it in the CVS.

>From the description above, wouldn't this fix break attempts
to build with libgdbm2? Or was it just a typo the first time?

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: very short password expiry

[Alan DeKok]

"Desmond Rivet" <[EMAIL PROTECTED]> wrote:
> >   Try the CVS snapshot from tomorrow.  The EAP module has been
> >massively re-written since 0.9, and that problem should NOT be
> >occuring.
> 
> Massively re-written? Off the top of your head, do you know what major 
> things are different? Anyway, I'll try the newest CVS tree. Thanks.

  I can actually understand the code in the EAP module now.  I've
removed ~20% of it, and re-arranged & re-named the rest.  The result
is that the execution flow through the module is simpler to
understand, and generally better designed & implemented.

  There shouldn't be any externally visible changes, as the module
will still do EAP.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sample config on Redhat with proxy

[Peter Nixon]

On Wed August 6 2003 07:54, Michael Kearey wrote:
> Dick Lau wrote:
> > Hi All,
> >
> > I'm frist time try the radius server. May I ask who can post the
> > freeradius on redhat here? Or where can I find the details study manuel?
> >
> > Thanks
>
> I found this
> http://people.redhat.com/twoerner/SRPMS/freeradius-0.8.1-6.src.rpm
>
> It's handy, though is not up date version. You could use the rpm to
> base a build from new source.

There are up to date spec files for SuSE and RedHat as well as debian build 
files in the source tarball... It's really very easy :-)

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Login-Time Question

[Patrick]

Hi,

im having an odd problem and im sure its related to setup just cant seem to
spool up the problem.
I see that Login-Time can be specified in the USERS file where it seems to
work fine... i just cant seem to get it to work fine in the SQL database ?
Can it run in the sql database as an attribute ? If it can How do i do so ?

Thanks

Patrick
XSInet

--

I live in my own little world. But it's OK. They know me here.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem whis simulteneous logins

[Double]

I am using Freeradius 0.8.1 and portslave.
User's online time I define in var "Session-Timeout".
"Session-Timeout" I get from billing system for each user
by script (Exec-Program-Wait).
I allow simulteneous logins with the same User Name.
So in such case user's online time must be less in 2 times.
How can I change Session-Timeout when one user alredy
online and another one with the same UserName connects
to the server.

Please help me!
-- 
Technical Support Administrator
of "NARZAN" Network

Double  mailto:[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: checkrad always returning 0?

[Evren Yurtesen]

did you realize these?
# uncomment this if you use the standard
# prefixes
#$user =~ s/^[PSC]//;
#$user =~ s/\.(ppp|slip|cslip)$//;
you can perhaps put
print($user);
right after these and you should see all the users in the nas
from the output also you might figure out what is wrong
dont put it inside the if clause though :)
well you can let us know what you get?
what does the output of
list connections
command look like?
Evren
Ray wrote:

On Wednesday 06 August 2003 22:13, you wrote:

for one thing, download latest release 0.9 something and try the
checkrad which comes inside...
then did you set etc/clients.conf and etc/naspasswd ? what did you set ?
the important thing is nastype login and password ...
what kind of nas do you have? etc. if you use snmp, did you try to see
manually if you can connect to nas? do you have ucd snmp...
and blah blah, and if you use telnet is Net::Telnet installed? perl
module...


etc/clients.conf and etc/naspassword are setup, but since i'm only calling 
checkrad manually at this point, only the naspassword file has any affect.
i was getting an error about bad password before setting up naspassword, but 
the error message and documentation already got me past that problem.

nas: i'm told it is USR/Total Control, but when i manually telnet into it and 
mimic the commands of the tc module, it doesn't do what it should.  but the 
commands in the module for netserver are correct, so i'm using that.
as for Net::Telnet, it is installed (3.02)
snmp isn't being used since i'm not using a nas that checkrad needs snmp for, 
i'm not sure which version of snmp i have, but it doesn't seem like that 
would matter in this case where the modules are using telnet to check the nas.


Ray wrote:

trying to setup Simultaneous-Use and it is working so far, but i haven't
succesfully setup checkrad with it.
using freeRadius 0.8.1

checkrad -d netserver xx.xx.xx.4 366 user 22544538
and it keeps outputting
Returning 0 (login ok)
even when the user is on.
i'm using MySQL for accounting and using
NASIPAddress NASPortId UserName AcctSessionId
from radacct for the paramaters to test checkrad
what should i check or change to get that working?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems with EAP/TLS (and Enterasys)

[Sevcik Berndt]

nastype = other has not worked. The situation is the same than before. I
have also not the possibility to use an other AP.

Berndt


On Fri, 2003-08-08 at 13:33, diomedes wrote:
> Hi,
> Try to put in clients.conf, in the lines of the NAS the following attribute
> nastype   = other
> 
> I had a similar problem and with that line all goes perfectly ( or nearly)
> 
> Good luck
> 
> Other possibility is to try authenticate with the same configuration but 
> with other AP, if it's possible.
> 
> Regards.
> Omar
> 
> 
> Sevcik Berndt wrote:
> 
> >I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access
> >Point with freeradius. But the client get never authenticated. My
> >problem that I have no idea where I should search for the error. I used
> >the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup.
> >
> >Output from freeradius -X -A:
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253,
> >length=116
> >Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d
> >User-Name = "Sevcik Berndt"
> >NAS-IP-Address = 10.0.4.14
> >NAS-Port = 2
> >NAS-Port-Type = Wireless-802.11
> >Calling-Station-Id = "00-01-f4-ec-3d-7c"
> >EAP-Message = 0x024400120153657663696b204265726e6474
> >Framed-MTU = 1000
> >modcall: entering group authorize
> >  modcall[authorize]: module "preprocess" returns ok
> >  rlm_eap: EAP packet type response id 68 length 18
> >  rlm_eap: EAP Start not found
> >  modcall[authorize]: module "eap" returns updated
> >rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
> >NULL
> >rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop
> >users: Matched DEFAULT at 152
> >users: Matched Sevcik Berndt at 216
> >  modcall[authorize]: module "files" returns ok
> >modcall: group authorize returns updated
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >modcall: entering group authenticate
> >  rlm_eap: EAP Identity
> >  rlm_eap: processing type tls
> >  rlm_eap_tls: Initiate
> >  rlm_eap_tls: Start returned 1
> >  modcall[authenticate]: module "eap" returns handled
> >modcall: group authenticate returns handled
> >Sending Access-Challenge of id 253 to 10.0.4.14:1205
> >EAP-Message = 0x014500060d20
> >Message-Authenticator = 0x
> >State = 0x1c0ccba6d22ad97dab13096d340f0290
> >Finished request 0
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 6 seconds...
> >rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254,
> >length=196
> >Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59
> >User-Name = "Sevcik Berndt"
> >State = 0x1c0ccba6d22ad97dab13096d340f0290
> >NAS-IP-Address = 10.0.4.14
> >NAS-Port = 2
> >NAS-Port-Type = Wireless-802.11
> >Calling-Station-Id = "00-01-f4-ec-3d-7c"
> >Framed-MTU = 1000
> >EAP-Message =
> >0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100
> >modcall: entering group authorize
> >  modcall[authorize]: module "preprocess" returns ok
> >  rlm_eap: EAP packet type response id 69 length 80
> >  rlm_eap: EAP Start not found
> >  modcall[authorize]: module "eap" returns updated
> >rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
> >NULL
> >rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop
> >users: Matched DEFAULT at 152
> >users: Matched Sevcik Berndt at 216
> >  modcall[authorize]: module "files" returns ok
> >modcall: group authorize returns updated
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >modcall: entering group authenticate
> >  rlm_eap: Request found, released from the list
> >  rlm_eap: EAP_TYPE - tls
> >  rlm_eap: processing type tls
> >  rlm_eap_tls: Authenticate
> >  rlm_eap_tls: processing TLS
> >rlm_eap_tls:  Length Included
> >  eaptls_verify returned 11
> >undefined: before/accept initialization
> >TLS_accept: before/accept initialization
> >  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
> >TLS_accept: SSLv3 read client hello A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> >TLS_accept: SSLv3 write server hello A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 063c], Certificate
> >TLS_accept: SSLv3 write certificate A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest
> >TLS_accept: SSLv3 write certificate request A
> >TLS_accept: SSLv3 flush data
> >TLS_accept:error in SSLv3 read client certificate A
> >rlm_eap_tls: SSL_read Error
> > Error code is . 2
> > SSL Error . 2
> >In SSL Handshake Phase
> >In SSL Accept mode
> >  eaptls_process returned 13
> >  modcall[authenticate]: module "eap" returns handl

Re: EAP and MAC Authentication worked once but it didn't twice.

[Ivan Dario Barrera]

Thanks a lot Alan.
It is working now.

I still don't understand, why if I leave the command "Auth-Type: EAP" the
request packets are different and they have different information. I saw
that, but I thought it was something wrong with the certificates and I spent
lot of time with SSL.

Any clue about the difference between the requests? Since I only removed the
"Auth-type", Is the communication Client-Server different?

I will check more on EAP, if you have good litterature to recomend, I would
appreciate.

Thank you a lot once again.

Ivan Barrera


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html