is RADIUS the only server?
Hi everyone, I have a doubt, it is more theoretical than practical. Can anyone tell me if the servers used for authentication in Wi-Fi networks are always RADIUS, or are there any other options? and in case that there are others, why is RADIUS the most common? thanks bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user password for LEAP
Hi, I'm trying to use LEAP authentication and my problem is the next one: In the users file I have a user like this prueba User-Password == "12345678" The communication between my AP and the server seems correct in the first messages, but when the AP replies to the server challenge, I can see several error messages. The first ones is this: ' No user-password or NT-Password configured for this user' but I have the password defined in the users file... After that, another access-request is sent from the AP and the most remarkable messages are these (I think): 'rlm_eap:request not found inthe list' 'rlm_eap: Either EAP-request timed out or EAP-response to an unknown EAP-request' I must say that in all the messages from the start it is sad that 'EAP start not found', I don't know if it could be of any aid. Thank you very much for the help Blanca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user password for LEAP
BLANCA FERRERO RODRIGUEZ <[EMAIL PROTECTED]> wrote: > > The communication between my AP and the server seems correct in the > > first messages, but when the AP replies to the server challenge, > I can > > see several error messages. The first ones is this: > > ' No user-password or NT-Password configured for this user' > > but I have the password defined in the users file... > > So run the server in debugging mode, and see if that line of the > users file is matched when the request comes in. > > Alan DeKok. > I don't understand your answer very well because I already run the server in debbug mode and the messages I put in my mail are the ones I can see on the screen... and I guess the line with the password in the users file doesn't match the one in the packet as the message I get is the one above. BLanca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with LEAP
ss-Request packet from host 172.26.0.3:1645, id=7, length=217 User-Name = "prueba" Framed-MTU = 1400 Called-Station-Id = "0040.96a0.19dc" Calling-Station-Id = "000c.ce21.141b" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xdf55df0e5a4e3406eeebfca746204be2 EAP-Message = 0x02030026110100181d428a77ec2efd6068db56056d5fb65edc311c4f4bac5e5d707275656261 NAS-Port-Type = Virtual NAS-Port = 5 State = 0x3305b25f5f2e2f409162d511e43333d139401db98e4eac56edc72206d843768e7c0c Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = "ap_cisco " modcall: entering group authorize for request 8 rlm_eap: EAP packet type notification id 3 length 38 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 8 rlm_eap: EAP packet type notification id 3 length 38 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user modcall[authenticate]: module "eap" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.26.0.3:1645, id=7, length=217 User-Name = "prueba" Framed-MTU = 1400 Called-Station-Id = "0040.96a0.19dc" Calling-Station-Id = "000c.ce21.141b" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xbd83a468a7a3b23fcfe15faf8b113436 EAP-Message = 0x02030026110100181d428a77ec2efd6068db56056d5fb65edc311c4f4bac5e5d707275656261 NAS-Port-Type = Virtual NAS-Port = 5 State = 0x3305b25f5f2e2f409162d511e43333d139401db98e4eac56edc72206d843768e7c0c Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = "ap_cisco " modcall: entering group authorize for request 9 rlm_eap: EAP packet type notification id 3 length 38 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 9 rlm_eap: EAP packet type notification id 3 length 38 rlm_eap: EAP Start not found rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 6 with timestamp 4039d133 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 7 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 7 with timestamp 4039d138 Nothing to do. Sleeping until we see a request. - Mensaje original - De: [EMAIL PROTECTED] Fecha: Viernes, Febrero 20, 2004 6:58 pm Asunto: RE: user password for LEAP > Maybe you could post the initial debug lines to see which users is > beingmatched. > > One probability is that the default user is being matched, and not > the one > you have intended, if you are using leap for authentication, and > assumingyou have a "right" configuration file for FreeRadius, your > line in the users > file should look something like: > > test Auth-Type := eap, User-Password == "123456" > Service-Type = Login-User > > German Rodriguez. > > > -Original Message- > > From: BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] > > Sent: Friday, February 20, 2004 2:23 AM > > To: [EMAIL PROTECTED] > > Subject: Re: user password for LEAP > > > > BLANCA FERRERO RODRIGUEZ <[EMAIL PROTECTED]> wrote: > > > > The communication between my AP and the server seems > > correct in the > > > > first messages, but when the AP replies to the server challenge, > > > I can > > > > see several error messages. The first ones is this: > > > > ' No user-password or NT-Password configured for this user&
Re: problem with LEAP
I have already added the files module in the authorize section and I see the same logs...it doesn't work either. In the autheticate section I have only eap enabled. the rest of Auth-Types are commented(PAP, MS-CHAP, CHAP...) could it have anything to do with my problem? Blanca - Mensaje original - De: Kostas Kalevras <[EMAIL PROTECTED]> Fecha: Lunes, Febrero 23, 2004 11:16 am Asunto: Re: problem with LEAP > On Mon, 23 Feb 2004, BLANCA FERRERO RODRIGUEZ wrote: > > > I'm trying to run RADIUS with leap. I've written to the list > before but I haven't solved the problem yet, so I send teh logs I > see on the screen because I don't understand the problem. > > First, I apologise because the logs are a bit long but I don't > distinguish between the important and the non-important ones. > > > > My user is configured like this: > > prueba Auth-Type := eap, User-Password == "12345678" > >Service-Type = Login-User > > > > > > NAS-IP-Address = 172.26.0.3 > > NAS-Identifier = "ap_cisco " > > modcall: entering group authorize for request 1 > > rlm_eap: EAP packet type notification id 3 length 38 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated for request 1 > > modcall: group authorize returns updated for request 1 > > > You only have the eap module in the authorize section. You should > also add the > files module so that the user password can be set > > > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate for request 1 > > rlm_eap: EAP packet type notification id 3 length 38 > > rlm_eap: EAP Start not found > > rlm_eap: Request found, released from the list > > rlm_eap: EAP_TYPE - leap > > rlm_eap: processing type leap > > rlm_eap_leap: No User-Password or NT-Password configured for > this user > > > That's the important message. Try adding the files module in the > authorizesection and it should work ok. > > > > modcall[authenticate]: module "eap" returns invalid for > request 1 > > modcall: group authenticate returns invalid for request 1 > > auth: Failed to validate the user. > > Delaying request 1 for 1 seconds > > Finished request 1 > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with LEAP solved
I'm sorry for my previous mail. Kostas Kalevras was right and LEAP operates correctly, thank you very much. Blanca - Mensaje original - De: Kostas Kalevras <[EMAIL PROTECTED]> Fecha: Lunes, Febrero 23, 2004 11:16 am Asunto: Re: problem with LEAP > On Mon, 23 Feb 2004, BLANCA FERRERO RODRIGUEZ wrote: > > > I'm trying to run RADIUS with leap. I've written to the list > before but I haven't solved the problem yet, so I send teh logs I > see on the screen because I don't understand the problem. > > First, I apologise because the logs are a bit long but I don't > distinguish between the important and the non-important ones. > > > > My user is configured like this: > > prueba Auth-Type := eap, User-Password == "12345678" > >Service-Type = Login-User > > > > > > NAS-IP-Address = 172.26.0.3 > > NAS-Identifier = "ap_cisco " > > modcall: entering group authorize for request 1 > > rlm_eap: EAP packet type notification id 3 length 38 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated for request 1 > > modcall: group authorize returns updated for request 1 > > > You only have the eap module in the authorize section. You should > also add the > files module so that the user password can be set > > > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate for request 1 > > rlm_eap: EAP packet type notification id 3 length 38 > > rlm_eap: EAP Start not found > > rlm_eap: Request found, released from the list > > rlm_eap: EAP_TYPE - leap > > rlm_eap: processing type leap > > rlm_eap_leap: No User-Password or NT-Password configured for > this user > > > That's the important message. Try adding the files module in the > authorizesection and it should work ok. > > > > modcall[authenticate]: module "eap" returns invalid for > request 1 > > modcall: group authenticate returns invalid for request 1 > > auth: Failed to validate the user. > > Delaying request 1 for 1 seconds > > Finished request 1 > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WindowsXP EAP-MD5 authentication problem
Hi, I had the same problem when configured eap. Instead of using your user user3 Auth-Type := Local, User-Password == "cisco" try with this one: user3 Auth-Type := eap, User-Password == "cisco" In my case that was the problem bfr - Mensaje original - De: Nedialko Dimitrov <[EMAIL PROTECTED]> Fecha: Jueves, Febrero 26, 2004 9:55 am Asunto: WindowsXP EAP-MD5 authentication problem > Dear all, > > I'm trying to configure > WindowsXP <-- wireless-> Cisco AP1100 <--> FreeRadius > with MD5 authentication following > http://lists.cistron.nl/pipermail/freeradius-users/2002- > August/009532.html > The version of FreeRadius: > radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, > built on Feb > 17 2004 at 16:54:51 > > > My WindowsXP client settings are : > Connection properties -> >Authentication : Enable IEEE 802.1x ... >EAP type PEAP (the other option is Smart Card or Cetificate) > Properties -> >Select Auth. Method: EAP-MSCHAP-v2 (the othe options is > Smart Card > or Cetificate) > > > This is my freeradius debug: > > Waking up in 2 seconds... > rad_recv: Access-Request packet from host 192.168.4.5:21645, id=83, > length=123 >User-Name = "user3" >Framed-MTU = 1400 >Called-Station-Id = "0002.8a0e.33c0" >Calling-Station-Id = "0090.9660.5c87" >Message-Authenticator = 0x2ce00fea6464f1816607e046a7140288 >EAP-Message = 0x0201000a017573657233 >NAS-Port-Type = Wireless-802.11 >NAS-Port = 350 >Service-Type = Framed-User >NAS-IP-Address = 192.168.4.5 >NAS-Identifier = "ap" > modcall: entering group authorize for request 6 > modcall[authorize]: module "preprocess" returns ok for request 6 > rlm_eap: EAP packet type notification id 1 length 10 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated for request 6 >users: Matched user3 at 92 > modcall[authorize]: module "files" returns ok for request 6 > modcall: group authorize returns updated for request 6 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No User-Password or CHAP-Password attribute in the request > auth: Failed to validate the user. > Delaying request 6 for 1 seconds > Finished request 6 > Going to the next request > Waking up in 2 seconds... > --- Walking the entire request list --- > Cleaning up request 5 ID 82 with timestamp 403d3097 > Sending Access-Reject of id 83 to 192.168.4.5:21645 > > My users file record is just: > > user3 Auth-Type := Local, User-Password == "cisco" > > I believe that the problem is here: > - > auth: type Local > auth: No User-Password or CHAP-Password attribute in the request > auth: Failed to validate the user. > > but I cannot guess what is missing in my configuration ?! > > Any ideas ? > > Best, > > Nedialko > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access for eap/tls
I'm tryng authentication with eap/tls. It works propertly but my doubt is: if I try to connect with a user called 'proof' for example and it is not included in my users file, should it be allowed to connect to the network despite having a correct certificate? if not what am I doping wrong because my radius is authenticating a user that is not included in my users file and I have commented all the 'default' entries in case these could produce the error? thanks bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP starting form EAP/TLS
I have eap/tls authorization configured in my system and I would like to know if configuring PEAP from this point would be very difficult. Does anyone know any good HOWTO to help me with the configuration of PEAP ? thank you bfr - Mensaje original - De: Alejandro Bonilla <[EMAIL PROTECTED]> Fecha: Lunes, Mayo 10, 2004 4:59 pm Asunto: Setup and PEAP > Hi, I'm new to FreeRADIUS. I have tried to use it and couldn't get > to > know how to get the correct authentication method Setup. I'm > trying to > setup a WRT54G with a WPA RADIUS, which asks for a Shared Key > which I > was able to set, also I was able to set the correct users and > stuff. > Simply I cannot get it to work because the Autentication method is > done > with PEAP. > My questions would be: > 1. Which are the files that normal users should be touching to get > this > to work. > 2. Does FreeRADIUS support PEAP? Do I have to uncomment MS-CHAPv2 > if I'm > going to use MS-CHAPv2 or FreeRADIUS already supports it? > 3. Is there a easy How-To to setup this RADIUS Server? > > Thanks, > > - Alex > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
so if a user with a correct certificate tries to authenticate against radius although it is not in the users file will it have access to teh network? is there any way that I can control this access of users with the users file although they have a correct cert? thaks bfr - Mensaje original - De: Alan DeKok <[EMAIL PROTECTED]> Fecha: MiƩrcoles, Mayo 12, 2004 10:34 am Asunto: Re: access for eap/tls > BLANCA FERRERO RODRIGUEZ <[EMAIL PROTECTED]> wrote: > > I'm tryng authentication with eap/tls. It works propertly but my > > doubt is: if I try to connect with a user called 'proof' for example > > and it is not included in my users file, should it be allowed to > > connect to the network despite having a correct certificate? > > Yes. The "users" file is just one form of controlling user access. > You can store users in SQL, LDAP, or in signed certificates. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for eap/tls
> > is there any way that I can control this > > access of users with the users file although they have a correct > > cert? > > Yes. Tell the server to reject the user. sotty to insist but could you tell me how to do this exactly? bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap.cnf
Could anyone tell me where the eap.cnf is supossed to be?in the raddb dir? thanks a lot bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap.cnf
> > usually it's called 'eap.conf' and it is in the raddb dir. > I have already searched in tha dir but I find no eap.conf!! I'm using freeradius 0.9.3 does it support PEAP? thanks bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls
I'm trying to configure EAP/TLS and my freeradius version is 0.9.3, does this version support this authentication method? if someone has used certificates can confirm me that openssl is a good option to create them? thanks a lot Bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl
I'm using this HOWTO http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to configure eap/tls over freeradius. I'm trying to install openssl as it's explained there but when I have to verify the sym link between some files I'm not very sure about how to do this. Should the linked files be in the lib directory where I've installed openssl (/usr/local/...)?if that is the case they're not there, or should I check the Makefile to see that there is a line with the link? thanks a lot, I'm not LINUX administrator so I'm a bit lost with these issues. bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
> I'm newbie too and I use Mdk9.2 and freeradius snapshot 22-004- > 2004, then > I use "slocate" command to find files I need . I install all soft > neededfrom /usr/local/ and I add /usr/local/bin and > /usr/local/sbin to my $PATH > then it works...maybe it can help you Sorry Fred but in which $PATh do you include those directories? which version are you using of openssl. I'm trying with openssl0.9.7beta3 and it gives errors while compiling. thanks Bfr > > Fred. > > > > thanks a lot, I'm not LINUX administrator so I'm a bit lost with > these> issues. > > > > > > bfr > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure peap
I'm trying to configure PEAP. In the snapshot I was using of freeradius 0.9.3 it wasn't supported so I'm trying to install a newer one, but I think it doesn't overwrite the files of the previous one because when I try to run radius it tells me that 'peap is not a supported module'. So how can I desinstall my freeradius to install the new one? As I installed it form the sources not the packet I'm not sure if the command rpm will work. Another quest: should I give to the MSCHAP module the default type ms-chapv2 or just the default value (mschap)? thanks a lot bfr - Mensaje original - De: Alan DeKok <[EMAIL PROTECTED]> Fecha: MiƩrcoles, Mayo 19, 2004 6:48 pm Asunto: Re: EAP/TLS > "Daniel Walther" <[EMAIL PROTECTED]> wrote: > > I'm trying to connect to my WLAN with EAP/TLS with a Freeradius > server.> Unfortuantely it won't work. Freeradius can't > authenticate the user and > > reject the request! > > Yes... > > > rlm_eap_tls: Received EAP-TLS ACK message > > rlm_eap_tls: Invalid ACK received > > modcall[authenticate]: module "eap" returns invalid for > request 3 > > Try running the latest CVS snapshot. If that doesn't work, then I'd > blame the wireless client. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap user
Hi, I'm configuring PEAP. I think the freeradius config is Ok. I'm using an Aironet AP 1100 configured to support 802.1X authentication and WEP and my wireless network is enabled to use PEAP auth. the fact is that when I try to authenticate my card against radius I'm not asked to enter a user and a passw and it directly uses an unknown user for me called PEAP-mi_card_MAC. Wasn't I suppossed to de asked to enter the user? I add the logs in case they can help. thanks a lot bfr rad_recv: Access-Request packet from host 172.26.0.3:1645, id=6, length=161 User-Name = "PEAP-000CCE21141B" Framed-MTU = 1400 Called-Station-Id = "0040.96a0.19dc" Calling-Station-Id = "000c.ce21.141b" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x642163f9e77208900dc76dd8c5b48981 EAP-Message = 0x0202001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 63 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = "ap_cisco " Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "PEAP-000CCE21141B", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 177 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 6 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 40b22f94 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=7, length=161 User-Name = "PEAP-000CCE21141B" Framed-MTU = 1400 Called-Station-Id = "0040.96a0.19dc" Calling-Station-Id = "000c.ce21.141b" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xbabd2bd7b3b9a2cf23018d052dcc7582 EAP-Message = 0x0201001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 64 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 NAS-Identifier = "ap_cisco " Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "PEAP-000CCE21141B", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched DEFAULT at 177 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 7 to 172.26.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 40b22f9f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.26.0.3:1645, id=8, length=161 User-Name = "PEAP-000CCE21141B" Framed-MTU = 1400 Called-Station-Id = "0040.96a0.19dc" Calling-Station-Id = "000c.ce21.141b" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x017eb94e1149c58524647d0840f81dce EAP-Message = 0x0201001601504541502d303030434345323131343142 NAS-Port-Type = Virtual NAS-Port = 65 Service-Type = Login-User NAS-IP-Address = 172.26.0.3 N
Re: peap user
I'm using Windows XP, the same as for eap/tls and it worked fine in that case. My card is a 350 cisco and follow the instructions in the cisco page to configure it as well as the AP. In teh network manager I enabled PEAP auth and unchecked the box you mentioned about using my windows login to auth. Anyway the user sent to the radius is not my login!!! any idea? bfr - Mensaje original - De: Bob McCormick <[EMAIL PROTECTED]> Fecha: Lunes, Mayo 24, 2004 6:42 pm Asunto: Re: peap user > Sounds like a client side problem. What supplicant are you > using? > Are you using the one built into Win2k or WinXP? Both of those > have > checkboxes to automatically use your machine name or your windows > login > name. Make sure those aren't checked. > > > On May 24, 2004, at 10:33 AM, BLANCA FERRERO RODRIGUEZ wrote: > > > Hi, > > > > I'm configuring PEAP. I think the freeradius config is Ok. I'm > using > > an Aironet AP 1100 configured to support 802.1X authentication > and > > WEP and my wireless network is enabled to use PEAP auth. > > the fact is that when I try to authenticate my card against > radius I'm > > not asked to enter a user and a passw and it directly uses an > unknown > > user for me called PEAP-mi_card_MAC. Wasn't I suppossed to de > asked to > > enter the user? > > > > I add the logs in case they can help. > > thanks a lot > > > > bfr > > > > rad_recv: Access-Request packet from host 172.26.0.3:1645, id=6, > > length=161 > > User-Name = "PEAP-000CCE21141B" > > Framed-MTU = 1400 > > Called-Station-Id = "0040.96a0.19dc" > > Calling-Station-Id = "000c.ce21.141b" > > NAS-Port-Type = Wireless-802.11 > > Message-Authenticator = 0x642163f9e77208900dc76dd8c5b48981 > > EAP-Message = 0x0202001601504541502d303030434345323131343142 > > NAS-Port-Type = Virtual > > NAS-Port = 63 > > Service-Type = Login-User > > NAS-IP-Address = 172.26.0.3 > > NAS-Identifier = "ap_cisco " > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > modcall[authorize]: module "chap" returns noop for request 0 > > modcall[authorize]: module "mschap" returns noop for request 0 > > rlm_realm: No '@' in User-Name = "PEAP-000CCE21141B", > looking up > > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: EAP packet type response id 2 length 22 > > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > > modcall[authorize]: module "eap" returns updated for request 0 > > users: Matched DEFAULT at 177 > > modcall[authorize]: module "files" returns ok for request 0 > > modcall: group authorize returns updated for request 0 > > rad_check_password: Found Auth-Type Reject > > rad_check_password: Auth-Type = Reject, rejecting user > > auth: Failed to validate the user. > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > --- Walking the entire request list --- > > Sending Access-Reject of id 6 to 172.26.0.3:1645 > > Waking up in 4 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 6 with timestamp 40b22f94 > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host 172.26.0.3:1645, id=7, > > length=161 > > User-Name = "PEAP-000CCE21141B" > > Framed-MTU = 1400 > > Called-Station-Id = "0040.96a0.19dc" > > Calling-Station-Id = "000c.ce21.141b" > > NAS-Port-Type = Wireless-802.11 > > Message-Authenticator = 0xbabd2bd7b3b9a2cf23018d052dcc7582 > > EAP-Message = 0x0201001601504541502d303030434345323131343142 > > NAS-Port-Type = Virtual > > NAS-Port = 64 > > Service-Type = Login-User > > NAS-IP-Address = 172.26.0.3 > > NAS-Identifier = "ap_cisco " > > Processing the authorize section of radiusd.conf > > modcall: en
Re: peap user
> > I'm configuring PEAP. I think the freeradius config is Ok. > ... > > modcall: group authorize returns updated for request 0 > > rad_check_password: Found Auth-Type Reject > > rad_check_password: Auth-Type = Reject, rejecting user > > Nope, it's not. > > Alan DeKok. > I think that message comes because the user sent by my AP to the radius is not in my users file, and it matches a default user I added with Auth-Type = reject... but it makes sense doesn't it? bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP vs EAP/TLS
One doubt, basically the operation between server and AP is the same in EAP/TLS and PEAP but for the fact that in the former the user has a cert and in the latter a screen should be prompted for the user to introduce its login and passw so the RADIUS must check them in the users file? sorry for the basic question but I'm not able to get the prompt for my user and I'm trying to discard any basic mistake in concepts thanks bfr isn't it? - Mensaje original ----- De: BLANCA FERRERO RODRIGUEZ <[EMAIL PROTECTED]> Fecha: Martes, Mayo 25, 2004 8:45 am Asunto: Re: peap user > > > > I'm configuring PEAP. I think the freeradius config is Ok. > > ... > > > modcall: group authorize returns updated for request 0 > > > rad_check_password: Found Auth-Type Reject > > > rad_check_password: Auth-Type = Reject, rejecting user > > > > Nope, it's not. > > > > Alan DeKok. > > > > I think that message comes because the user sent by my AP to the > radius is not in my users file, and it matches a default user I > added with Auth-Type = reject... but it makes sense doesn't it? > > > bfr > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to change xp client using peap
I'm having problems to change the user in windows xp. I tried peap the first time with a correct user and everything was fine but now I want to do a prove with another user but I'm not prompted anymore to intro a new one and it uses the previous one all the time(and I have reconfigured the connection with peap again) any idea of how to solve this? thaks a lot bfr - Mensaje original - De: Basile Mathieu <[EMAIL PROTECTED]> Fecha: Viernes, Mayo 28, 2004 12:07 pm Asunto: peap and xp client - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to change xp client using peap
- Mensaje original - De: Michael Griego <[EMAIL PROTECTED]> Fecha: Viernes, Mayo 28, 2004 2:48 pm Asunto: Re: how to change xp client using peap > There's a Microsoft KB article on this. I can't remember the title > offhand, though. It tells you which registry entry to delete in order > to force the eapol client to "re-ask" for credentials. > > --Mike > I think I found the article, thanks a lot because all the other attemps were unsuccessful bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
