Re: PEAP problem - HELP PLEASE
Thanks everyone for your help, yes Brian, you are right, i made a mistake when I wrote my users entry in the last mail! I wanted to say: ourson User-password = "testtest" In fact your right for the = which is better to be renplaced by == here. But in reallity, I didn't put any space on my user paswword I tried to put this entry: ourson User-Password == "a" Reply-Message = " YSS, %u" With this, I tought that if authentication were bad, my reply message won't appear, isn't it right? But in fact, I have already the same error, but in response I have my reply message! It's very strange. here are my last logs : rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, authentication failed. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [ourson/] (from client AP1 port 37 cli 000af49c507f)Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 113 to 192.168.1.2:3186 Reply-Message = " yeess" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 113 with timestamp 3fdf0ed2 Nothing to do. Sleeping until we see a request. I really don't understand how radiusd can say : "Identity does not match User-Name, authentication failed" and [ourson/] ... It seems that no password is sent from my supplicant..?? I tried to do radtest from another unix machine and it works : ... rad_recv: Access-Request packet from host 192.168.1.1:32769, id=85, length=58 User-Name = "ourson" User-Password = "a" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 6 rlm_realm: No '@' in User-Name = "ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched ourson at 97 modcall[authorize]: module "files" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall: group authorize returns ok for request 6 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: ' YSS, ourson' Sending Access-Accept of id 85 to 192.168.1.1:32769 Reply-Message = " YSS, ourson" Finished request 6 Going to the next request --- Walking the entire request list --- Cleaning up request 5 ID 170 with timestamp 3fdf22be Waking up in 6 seconds... I think that freeradius is well configured and it must be a windows or Access Point problem, don't you think so? Please if someone knows or just have an idea, tell me !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file : ourson User-Password = " testtest" and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched: + LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/sauv-certif/cert/new/serveur6.pem" tls: certificate_file = "/sauv-certif/cert/new/serveur6.pem" tls: CA_file = "/sauv-certif/cert/new/root.pem" tls: private_key_password = "saucisson" tls: dh_file = "/sauv-certif/cert/new/dh" tls: random_file = "/sauv-certif/cert/new/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files:
PEAP problem - HELP PLEASE
hello everybody! I am tryong to make a secure wireless access using PEAP, but I have a problem during authentication. I had successfully configured TLS module, and all work fine. But when I want to have a peap authentication, there is a problem. In fact could someone try to look at my log, and tell me where is my problem? I would be great! Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : Auth-type := EAP , User-password == " xxx" or Auth-type := Local , User-password == " xxx" or ... I don't really know which syntax is good according to peap authentication..maybe my problem is here? Thank you for your help! there are my logs : ... auth: type "EAP" modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Identity - NOMADE\ourson rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e PEAP: Got tunneled identity of NOMADE\ourson PEAP: Setting default EAP type for tunneled EAP session. PEAP: Sending tunneled request EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e Freeradius-Proxied-To = 127.0.0.1 User-Name = "NOMADE\\ourson" modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 15 rlm_eap: EAP packet type response id 129 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 15 modcall[authorize]: module "files" returns notfound for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 15 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 15 modcall: group authenticate returns handled for request 15 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e Message-Authenticator = 0x State = 0xc2efbd051aa877ec625ee103a4a76b76 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 15 modcall: group authenticate returns handled for request 15 Sending Access-Challenge of id 158 to 192.168.1.2:2462 EAP-Message = 0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f Message-Authenticator = 0x State = 0x55cbafd5eafc1a8c249ad219c5d26a3b Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159, length=250 User-Name = "NOMADE\\ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0x55cbafd5eafc1a8c249ad219c5d26a3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367 Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290 modcall: entering group authorize for request 16 modcall[authorize]: module "preprocess" returns ok for request 16 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module "auth_log" returns ok for request 16 rlm_eap: EAP packet type response id 130 length 88 rlm_eap: No EAP Start, assuming it's an
Re: Compilation Problem using EAP/TLS
hello, your snapshot version of freeradius isn't the one who is mentioned in the HOWTO, and the syntax is different on this new version! I had the same problem like you, and I tested with the snapshot of the HOWTO. If you use it, you will see that your errors will diseapear and your TLS tunnel will work. But I will be very interessted in which syntax and options which could be use for new snapshots ?? of course it's not those is in the HOWTO because I tried so many time whithout results! If someone knows about it? > (RedHat 6.2)Using the CVS snapshot from 20031208, I configured the > MakeFile file in src/modules/rlm_eap/types/rlm_eap_tls to match the > documentation provided by Raymond McKay at > http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#7. Nothing > existed in the MakeFile when I accessed it with pico. The current text > is: > > TARGET = rlm_eap_tls > SRCS = rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c > RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/openssl/include > HEADERS = eap_tls.h > RLM_INSTALL = > RLM_LDFLAGS += -L/usr/local/openssl/lib > > RLM_LIBS += -lssl -lcrypto > > $(STATIC_OBJS): $(HEADERS) > $(DYNAMIC_OBJS): $(HEADERS) > > RLM_DIR=../../ > include ${RLM_DIR}../rules.mak > > > I have triple checked that the directories provided > (/usr/local/openssl/include and lib) are the valid paths to the > openssl-SNAP installation. Upon building freeRADIUS, however, when the > MakeFile is reached, errors occur and the process aborts. > > I have installed freeRADIUS on this machine previously and am planning > on installing right over the top of the 0.9.3 build so I can use > PEAP/MSCHAPv2. Any ideas why this is failing? > > One other tidbit: Raymond's HOWTO has one check on installation of > openssl-SNAP-20021027 "that libssl.so and libssl.so.0 are sym linked to > libssl.so.0.9.8 and that libcrypto.so libcrypto.so.0 are sym linked to > libcrypto.so.0.9.8" What is sym linked? Libcrypto.so.0.9.8 and > libssl.so.0.9.8 exist, but libssl.so, libssl.so.0, libcrypto.so, and > libcrypto.so.0 are not contained with in /lib. > > Perhaps this is my problem? > > Thanks, > Justin > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication
Hello, I am trying to configure a wireless communication network using authentication with Freeradius. I have already configured one client, my access point (aironet cisco), and my freeradius server to use TLS authentication. I took the EAP/TLS authentication HOW-TO, and I tried to do exactly what it was said inside (with the version of freeradius referenced there and the 3 versions of openssl) But it seem that I made a mistake somewhere, my authentication doesn't work! I tried to understand and I seems to be in relation with SSL. I catch just a little part of my logs, in order to show you. If someone could tell me where I made a mistake, It would be great! thank you for your help! --- ... <<< TLS 1.0 Handshake [length 02af], Certificate chain-depth=1, error=0 --> User-Name = ourson --> BUF-Name = server1 --> subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> verify return:1 chain-depth=0, error=0 --> User-Name = ourson --> BUF-Name = ourson --> subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=ourson/[EMAIL PROTECTED] --> issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> verify return:1 TLS_accept: SSLv3 read client certificate A <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A <<< TLS 1.0 ChangeCipherSpec [length 0001] <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data undefined: SSL negotiation finished successfully rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [ourson/] (from client AP1 port 37 cli 000af49c507f) Sending Access-Challenge of id 118 to 192.168.1.2:1142 EAP-Message = "\001\254\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 \253d\\\300\247n!O\037\304\023\375\241\256$\202\304\257&ZJ\266\211\315\226\243V\221\246\274\345\375" Message-Authenticator = 0x State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b Finished request 15 Going to the next request Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1143, id=119, length=208 User-Name = "ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002\254\000!\r\200\000\000\000\027\025\003\001\000\022\334\207\370Z\010\276] (from client AP1 port 37 cli 000af49c507f) Delaying request 16 for 1 seconds Finished request 16 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 192.168.1.2:1143 EAP-Message = "\004\254\000\004" Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 114 with timestamp 3fd49b6b Cleaning up request 12 ID 115 with timestamp 3fd49b6b Cleaning up request 13 ID 116 with timestamp 3fd49b6b Cleaning up request 14 ID 117 with timestamp 3fd49b6b Cleaning up request 15 ID 118 with timestamp 3fd49b6b Cleaning up request 16 ID 119 with timestamp 3fd49b6b Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html