Re: PEAP problem - HELP PLEASE
Thanks everyone for your help, yes Brian, you are right, i made a mistake when I wrote my users entry in the last mail! I wanted to say: ourson User-password = "testtest" In fact your right for the = which is better to be renplaced by == here. But in reallity, I didn't put any space on my user paswword I tried to put this entry: ourson User-Password == "a" Reply-Message = " YSS, %u" With this, I tought that if authentication were bad, my reply message won't appear, isn't it right? But in fact, I have already the same error, but in response I have my reply message! It's very strange. here are my last logs : rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, authentication failed. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [ourson/] (from client AP1 port 37 cli 000af49c507f)Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 113 to 192.168.1.2:3186 Reply-Message = " yeess" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 113 with timestamp 3fdf0ed2 Nothing to do. Sleeping until we see a request. I really don't understand how radiusd can say : "Identity does not match User-Name, authentication failed" and [ourson/] ... It seems that no password is sent from my supplicant..?? I tried to do radtest from another unix machine and it works : ... rad_recv: Access-Request packet from host 192.168.1.1:32769, id=85, length=58 User-Name = "ourson" User-Password = "a" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 6 rlm_realm: No '@' in User-Name = "ourson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched ourson at 97 modcall[authorize]: module "files" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall: group authorize returns ok for request 6 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: ' YSS, ourson' Sending Access-Accept of id 85 to 192.168.1.1:32769 Reply-Message = " YSS, ourson" Finished request 6 Going to the next request --- Walking the entire request list --- Cleaning up request 5 ID 170 with timestamp 3fdf22be Waking up in 6 seconds... I think that freeradius is well configured and it must be a windows or Access Point problem, don't you think so? Please if someone knows or just have an idea, tell me !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
Hi Alan!
Thanks for your help.
I did what you told me, but it seems that it wasn't the only error I made...
I put in the users file :
ourson User-Password = " testtest"
and my user on the XP supplicant is also the same, but authentication is
still impossible! I really don't understand because the same error message
appears even if I change the users file like I show you before.
I am asking myself about which options must be put on the MS-CHAP module
(on radiusd.conf) ?
I didn't change any options on the MS-CHAP module ( use_mppe,
require_encryption, require_strong with a # before), but is it necessary??
(I tried quickly to put these options = yes ,but I had same results)
If you have any idea about what is wrong with my configuration, please
tell me! here are my log with the beginning of freeradius when it's
launched:
+ LD_LIBRARY_PATH=/usr/local/ssl-end/lib
+ LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ /usr/local/sbin/radiusd -X -y -z
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/sauv-certif/cert/new/serveur6.pem"
tls: certificate_file = "/sauv-certif/cert/new/serveur6.pem"
tls: CA_file = "/sauv-certif/cert/new/root.pem"
tls: private_key_password = "saucisson"
tls: dh_file = "/sauv-certif/cert/new/dh"
tls: random_file = "/sauv-certif/cert/new/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files:
PEAP problem - HELP PLEASE
hello everybody!
I am tryong to make a secure wireless access using PEAP, but I have a
problem during authentication.
I had successfully configured TLS module, and all work fine.
But when I want to have a peap authentication, there is a problem.
In fact could someone try to look at my log, and tell me where is my
problem? I would be great!
Another point is the configuration of the users file, for peap. I've read
the list but nobody gave a real answer to this question.. how this file
have to be configured?? I tried :
Auth-type := EAP , User-password == " xxx"
or
Auth-type := Local , User-password == " xxx"
or ...
I don't really know which syntax is good according to peap
authentication..maybe my problem is here?
Thank you for your help!
there are my logs :
...
auth: type "EAP"
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Identity - NOMADE\ourson
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
PEAP: Got tunneled identity of NOMADE\ourson
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Sending tunneled request
EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e
Freeradius-Proxied-To = 127.0.0.1
User-Name = "NOMADE\\ourson"
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
radius_xlat:
'/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215
modcall[authorize]: module "auth_log" returns ok for request 15
rlm_eap: EAP packet type response id 129 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
rlm_realm: No '@' in User-Name = "NOMADE\ourson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
modcall[authorize]: module "files" returns notfound for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 15
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e
Message-Authenticator = 0x
State = 0xc2efbd051aa877ec625ee103a4a76b76
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 158 to 192.168.1.2:2462
EAP-Message =
0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f
Message-Authenticator = 0x
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159,
length=250
User-Name = "NOMADE\\ourson"
Cisco-AVPair = "ssid=bebe"
NAS-IP-Address = 192.168.1.2
Called-Station-Id = "00409656deff"
Calling-Station-Id = "000af49c507f"
NAS-Identifier = "AP350-56deff"
NAS-Port = 37
Framed-MTU = 1400
State = 0x55cbafd5eafc1a8c249ad219c5d26a3b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367
Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215
modcall[authorize]: module "auth_log" returns ok for request 16
rlm_eap: EAP packet type response id 130 length 88
rlm_eap: No EAP Start, assuming it's an
Re: Compilation Problem using EAP/TLS
hello,
your snapshot version of freeradius isn't the one who is mentioned in the
HOWTO, and the syntax is different on this new version! I had the same
problem like you, and I tested with the snapshot of the HOWTO. If you use
it, you will see that your errors will diseapear and your TLS tunnel will
work.
But I will be very interessted in which syntax and options which could be
use for new snapshots ?? of course it's not those is in the HOWTO because
I tried so many time whithout results! If someone knows about it?
> (RedHat 6.2)Using the CVS snapshot from 20031208, I configured the
> MakeFile file in src/modules/rlm_eap/types/rlm_eap_tls to match the
> documentation provided by Raymond McKay at
> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#7. Nothing
> existed in the MakeFile when I accessed it with pico. The current text
> is:
>
> TARGET = rlm_eap_tls
> SRCS = rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c
> RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/openssl/include
> HEADERS = eap_tls.h
> RLM_INSTALL =
> RLM_LDFLAGS += -L/usr/local/openssl/lib
>
> RLM_LIBS += -lssl -lcrypto
>
> $(STATIC_OBJS): $(HEADERS)
> $(DYNAMIC_OBJS): $(HEADERS)
>
> RLM_DIR=../../
> include ${RLM_DIR}../rules.mak
>
>
> I have triple checked that the directories provided
> (/usr/local/openssl/include and lib) are the valid paths to the
> openssl-SNAP installation. Upon building freeRADIUS, however, when the
> MakeFile is reached, errors occur and the process aborts.
>
> I have installed freeRADIUS on this machine previously and am planning
> on installing right over the top of the 0.9.3 build so I can use
> PEAP/MSCHAPv2. Any ideas why this is failing?
>
> One other tidbit: Raymond's HOWTO has one check on installation of
> openssl-SNAP-20021027 "that libssl.so and libssl.so.0 are sym linked to
> libssl.so.0.9.8 and that libcrypto.so libcrypto.so.0 are sym linked to
> libcrypto.so.0.9.8" What is sym linked? Libcrypto.so.0.9.8 and
> libssl.so.0.9.8 exist, but libssl.so, libssl.so.0, libcrypto.so, and
> libcrypto.so.0 are not contained with in /lib.
>
> Perhaps this is my problem?
>
> Thanks,
> Justin
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication
Hello, I am trying to configure a wireless communication network using authentication with Freeradius. I have already configured one client, my access point (aironet cisco), and my freeradius server to use TLS authentication. I took the EAP/TLS authentication HOW-TO, and I tried to do exactly what it was said inside (with the version of freeradius referenced there and the 3 versions of openssl) But it seem that I made a mistake somewhere, my authentication doesn't work! I tried to understand and I seems to be in relation with SSL. I catch just a little part of my logs, in order to show you. If someone could tell me where I made a mistake, It would be great! thank you for your help! --- ... <<< TLS 1.0 Handshake [length 02af], Certificate chain-depth=1, error=0 --> User-Name = ourson --> BUF-Name = server1 --> subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> verify return:1 chain-depth=0, error=0 --> User-Name = ourson --> BUF-Name = ourson --> subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=ourson/[EMAIL PROTECTED] --> issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> verify return:1 TLS_accept: SSLv3 read client certificate A <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A <<< TLS 1.0 ChangeCipherSpec [length 0001] <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data undefined: SSL negotiation finished successfully rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [ourson/] (from client AP1 port 37 cli 000af49c507f) Sending Access-Challenge of id 118 to 192.168.1.2:1142 EAP-Message = "\001\254\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 \253d\\\300\247n!O\037\304\023\375\241\256$\202\304\257&ZJ\266\211\315\226\243V\221\246\274\345\375" Message-Authenticator = 0x State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b Finished request 15 Going to the next request Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1143, id=119, length=208 User-Name = "ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002\254\000!\r\200\000\000\000\027\025\003\001\000\022\334\207\370Z\010\276] (from client AP1 port 37 cli 000af49c507f) Delaying request 16 for 1 seconds Finished request 16 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 192.168.1.2:1143 EAP-Message = "\004\254\000\004" Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 114 with timestamp 3fd49b6b Cleaning up request 12 ID 115 with timestamp 3fd49b6b Cleaning up request 13 ID 116 with timestamp 3fd49b6b Cleaning up request 14 ID 117 with timestamp 3fd49b6b Cleaning up request 15 ID 118 with timestamp 3fd49b6b Cleaning up request 16 ID 119 with timestamp 3fd49b6b Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
