Re: PEAP problem - HELP PLEASE
Thanks everyone for your help, yes Brian, you are right, i made a mistake when I wrote my users entry in the last mail! I wanted to say: ourson User-password = testtest In fact your right for the = which is better to be renplaced by == here. But in reallity, I didn't put any space on my user paswword I tried to put this entry: ourson User-Password == a Reply-Message = YSS, %u With this, I tought that if authentication were bad, my reply message won't appear, isn't it right? But in fact, I have already the same error, but in response I have my reply message! It's very strange. here are my last logs : rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, authentication failed. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [ourson/no User-Password attribute] (from client AP1 port 37 cli 000af49c507f)Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 113 to 192.168.1.2:3186 Reply-Message = yeess Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 113 with timestamp 3fdf0ed2 Nothing to do. Sleeping until we see a request. I really don't understand how radiusd can say : Identity does not match User-Name, authentication failed and [ourson/no User-Password attribute] ... It seems that no password is sent from my supplicant..?? I tried to do radtest from another unix machine and it works : ... rad_recv: Access-Request packet from host 192.168.1.1:32769, id=85, length=58 User-Name = ourson User-Password = a NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 6 rlm_realm: No '@' in User-Name = ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 users: Matched ourson at 97 modcall[authorize]: module files returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall: group authorize returns ok for request 6 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: ' YSS, ourson' Sending Access-Accept of id 85 to 192.168.1.1:32769 Reply-Message = YSS, ourson Finished request 6 Going to the next request --- Walking the entire request list --- Cleaning up request 5 ID 170 with timestamp 3fdf22be Waking up in 6 seconds... I think that freeradius is well configured and it must be a windows or Access Point problem, don't you think so? Please if someone knows or just have an idea, tell me !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file : ourson User-Password = testtest and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched: + LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /sauv-certif/cert/new/serveur6.pem tls: certificate_file = /sauv-certif/cert/new/serveur6.pem tls: CA_file = /sauv-certif/cert/new/root.pem tls: private_key_password = saucisson tls: dh_file = /sauv-certif/cert/new/dh tls: random_file = /sauv-certif/cert/new/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no [/usr/local/etc/raddb/users]:156 WARNING! Changing
Re: PEAP problem - HELP PLEASE
[EMAIL PROTECTED] wrote: Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file : ourson User-Password = testtest i think i see two potential issues here ... one is noted in the logging: [/usr/local/etc/raddb/users]:156 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user ourson the operator that's needed is ==, not just = ... but radius sorta fixed that in the request, as the logs note. the other potential issue: the space before the password begins. assuming that the password gets encrypted into the EAP-Message ( something i'm thinking happens ... but i'm not sure of ), that space is getting added to the encypted string and will never match. and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched: + LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /sauv-certif/cert/new/serveur6.pem tls: certificate_file = /sauv-certif/cert/new/serveur6.pem tls: CA_file = /sauv-certif/cert/new/root.pem tls: private_key_password = saucisson tls: dh_file = /sauv-certif/cert/new/dh tls: random_file = /sauv-certif/cert/new/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no
PEAP problem - HELP PLEASE
hello everybody! I am tryong to make a secure wireless access using PEAP, but I have a problem during authentication. I had successfully configured TLS module, and all work fine. But when I want to have a peap authentication, there is a problem. In fact could someone try to look at my log, and tell me where is my problem? I would be great! Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : username Auth-type := EAP , User-password == xxx or username Auth-type := Local , User-password == xxx or ... I don't really know which syntax is good according to peap authentication..maybe my problem is here? Thank you for your help! there are my logs : ... auth: type EAP modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Identity - NOMADE\ourson rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e PEAP: Got tunneled identity of NOMADE\ourson PEAP: Setting default EAP type for tunneled EAP session. PEAP: Sending tunneled request EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e Freeradius-Proxied-To = 127.0.0.1 User-Name = NOMADE\\ourson modcall: entering group authorize for request 15 modcall[authorize]: module preprocess returns ok for request 15 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 15 rlm_eap: EAP packet type response id 129 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 15 rlm_realm: No '@' in User-Name = NOMADE\ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 15 modcall[authorize]: module files returns notfound for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 15 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e Message-Authenticator = 0x State = 0xc2efbd051aa877ec625ee103a4a76b76 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 Sending Access-Challenge of id 158 to 192.168.1.2:2462 EAP-Message = 0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f Message-Authenticator = 0x State = 0x55cbafd5eafc1a8c249ad219c5d26a3b Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159, length=250 User-Name = NOMADE\\ourson Cisco-AVPair = ssid=bebe NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00409656deff Calling-Station-Id = 000af49c507f NAS-Identifier = AP350-56deff NAS-Port = 37 Framed-MTU = 1400 State = 0x55cbafd5eafc1a8c249ad219c5d26a3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367 Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290 modcall: entering group authorize for request 16 modcall[authorize]: module preprocess returns ok for request 16 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 16 rlm_eap: EAP packet type response id 130 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Re: PEAP problem - HELP PLEASE
[EMAIL PROTECTED] wrote: In fact could someone try to look at my log, and tell me where is my problem? I would be great! The log you posted to the list contains a description of what is wrong. Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : username Auth-type := EAP , User-password == xxx or username Auth-type := Local , User-password == xxx You often don't need to do anything to the 'users' file. The simplest change to make (if you're not using LDAP or SQL), is to add the tunneled user name, with a password: tunnel-user User-Password = password That's it. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. It needs a password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html