Re: EAP (PEAP) problems
Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP (PEAP) problems
This is freeradius 1.1.1 with a Proxim/Orinoco AP700. We're configured to use PEAP. We seem to be hung up on the EAP start from the AP. Here's some log output. Note the "No EAP Start" part, which I think tells us that the AP isn't relaying the EAP Start properly from the supplicant. Any feedback from the gurus? (-: rad_recv: Access-Request packet from host ***.***.***.***:6001, id=22, length=154 User-Name = "testtwo" NAS-IP-Address = ***.***.***.*** Called-Station-Id = "00-20-a6-5d-9c-d1:ourtestssid" Calling-Station-Id = "00-20-a6-4c-16-7f" NAS-Identifier = "ORiNOCO-AP-700-5d-9c-d1" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000c017465737474776f Message-Authenticator = 0x62af36a7da3b8f655c8a9cda6dba34eb Wed May 31 13:50:59 2006 : Debug: Processing the authorize section of radiusd.conf Wed May 31 13:50:59 2006 : Debug: modcall: entering group authorize for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 3 Wed May 31 13:50:59 2006 : Debug: rlm_realm: No '@' in User-Name = "testtwo", looking up realm NULL Wed May 31 13:50:59 2006 : Debug: rlm_realm: No such realm "NULL" Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 3 Wed May 31 13:50:59 2006 : Debug: rlm_eap: EAP packet type response id 4 length 12 Wed May 31 13:50:59 2006 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module "eap" returns updated for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 3 Wed May 31 13:50:59 2006 : Debug: users: Matched entry testtwo at line 2 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module "files" returns ok for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module "mschap" returns noop for request 3 Wed May 31 13:50:59 2006 : Debug: modcall: leaving group authorize (returns updated) for request 3 Wed May 31 13:50:59 2006 : Debug: rad_check_password: Found Auth-Type Accept Wed May 31 13:50:59 2006 : Debug: rad_check_password: Auth-Type = Accept, accepting the user Wed May 31 13:50:59 2006 : Auth: Login OK: [testtwo/attribute>] (from client testAP port 0 cli 00-20-a6-4c-16-7f) Sending Access-Accept of id 22 to ***.***.***.*** port 6001 Wed May 31 13:50:59 2006 : Debug: Finished request 3 Wed May 31 13:50:59 2006 : Debug: Going to the next request Wed May 31 13:50:59 2006 : Debug: --- Walking the entire request list --- Wed May 31 13:50:59 2006 : Debug: Waking up in 6 seconds... Wed May 31 13:51:05 2006 : Debug: --- Walking the entire request list --- Wed May 31 13:51:05 2006 : Debug: Cleaning up request 3 ID 22 with timestamp 447dd783 Wed May 31 13:51:05 2006 : Debug: Nothing to do. Sleeping until we see a request. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.11 AP Access-Accept problem
Alan DeKok wrote: Drew Linsalata <[EMAIL PROTECTED]> wrote: Freeradius is authenticating users as per our requirements, and is and sending Access-Accept to the AP. ... Sending Access-Accept of id 3 to W.X.Y.Z port 6001 With no contents, apparently. That would explain why the AP is ignoring it. No, even sending the rest of the goodies the AP ignores it. I shouldn't have been so quick in truncating the log output. (-: -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.11 AP Access-Accept problem
We have a working freeradius install authenticating clients via a Proxim/Orinoco AP-700 access point. The AP is configured to do EAP authentication via the radius server. No problem with that. Freeradius is authenticating users as per our requirements, and is and sending Access-Accept to the AP. rad_recv: Access-Request packet from host W.X.Y.Z:6001, id=3, length=154 User-Name = "testuser" NAS-IP-Address = W.X.Y.Z Called-Station-Id = "00-20-a6-5d-9c-d1:ourSSID" Calling-Station-Id = "00-06-25-2f-8c-4e" NAS-Identifier = "ORiNOCO-AP-700-5d-9c-d1" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000c01746573746f6e65 Message-Authenticator = 0x75e8339aab77b394dab2beef5e9228dd Sending Access-Accept of id 3 to W.X.Y.Z port 6001 Problem is, the AP isn't getting the accepts. The EAP request counter increments on the AP when we attempt a connection. The EAP reject counter increments on the AP when we connect with bad credentials. The EAP accept counter never increments even with successful authentication. The Windows client is left in "Validating Identity" state. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Guru Needed to Write Config
Sorry, folks. I made the dumb mistake of not checking the reply-to. That last message was not intended for the list. Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Guru Needed to Write Config
Christopher Carver writes: Mr. Linsalata, Your offer is interesting. I have been administrating a freeradius server that authenticates a customer base of 40,000 for the past 5 years. I'm interested in the terms of your offer. I believe what you're trying to do is well within my capabilities. Chris Carver Pennswoods.Net Network Engineer You could probably knock this out in no time at all, which is great for us! This is a very small application - about a dozen users with logins coming few and far between. Each user has a username, a password, and the unique MAC address of his or her wireless card. If all three match - the user is allowed onto the wireless network and is given a specific IP address. If not, the user is rejected. We were going to authenticate out of a MySQL database running on the same server, but that was only to take advantage of the dialup_admin GUI. Problem is that dialup_admin doesn't deal with MAC addresses, so the local users file will be fine. The server is already built (CentOS) and Freeradius is already installed. I figure its probably $500 - $600 worth of work in an afternoon for someone that knows what they're doing. Interested? Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Guru Needed to Write Config
This should be simple for most of you. We have a customer that needs to authenticate wireless clients (on a Proxim AP-700) via both username/password and MAC address. We have zero man-hours to devote to this, and its been quite a long time since any of us was in RADIUS mode. (-: If anyone wants to make a few bucks on this, contact me off-list and we can go over the requirements. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html