PEAP + MSCHAPv2 reject and re-connect loop
; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "SUNCITI\John", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 8 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.144.1.98:4856, id=8, length=245 Sending Access-Reject of id 8 to 10.144.1.98 port 4856 EAP-Message = 0x04080004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 2 seconds... rad_recv: Access-Request packet from host 10.144.1.98:4858, id=0, length=206 Message-Authenticator = 0x84bbf500f51ef55f836a9d02b51b9ec4 Service-Type = Framed-User User-Name = "SUNCITI\\John" Framed-MTU = 1488 Called-Station-Id = "00-24-73-50-BC-00:SML" Calling-Station-Id = "1C-AF-F7-69-D9-0E" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02110153554e434954495c4a6f686e NAS-IP-Address = 10.144.1.98 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module &qu
What does the module rlm_krb5 do?
Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that the AS proxies the Kerberos authentication request from the access point to the Kerberos KDC and the access point grants access to the wired network upon successful authentication. I googled about the subject and found the following article about the module rlm_krb5 :- http://wiki.freeradius.org/Rlm_krb5 http://archives.free.net.ph/message/20060104.153134.68c5be76.en.html Is there anyone knows what the module rlm_krb5 does? Whether it is the module I need to use to do the job? Thanks a lot. John Mok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO WLAN Access Point authenticate user via kerberos
Hi Phil, Thank you for your prompt reply. I googled about the subject and found the following message :- http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html Can any one tell me about what the module rlm_krb5 does? Does the module proxy the kerberos authentication to the KDC on behalf of the WLAN users, and grant access to the wired network upon successful authentication? WLAN client ---EAP--- Access Point ---kerberos--- KDC Thanks a lot. John Mok Phil Mayers wrote: John Mok wrote: Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication. Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient? Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically means taking the usernames plaintext password and doing a "kinit" with it. This means you will need to do EAP-TTLS/PAP, which requires installing software on Windows clients, because windows doesn't support TTLS. The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the MSCHAP checked against Active Directory using Samba in domain-member mode and the ntlm_auth helper. But yes - once you've got EAP-TTLS/PAP working, you can check the PAP request against Kerberos. For more info, see here: http://deployingradius.com/documents/protocols/compatibility.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HOWTO WLAN Access Point authenticate user via kerberos
Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication. Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient? Thanks a lot. John Mok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html