dial-up admin and authentication time
hi list, i have 2 questions, hope could help. 1) trying to use dial-up admin in my wlan, i installed it and created tables, first filled them manually with some users, later filled new users using dial-up interface, but i only can see first user's statistics, any other user, even connected, is not show. any body knows where am i failing?? 2) time of authentication is too long, i guess, i use madwifi and hostapd, first time clients connect authentication could take 5-6 minutes, after 10 minutes they are disconnected (don't know why) and re-authenticated, it takes now, 1-2 minutes. are there any parameter i should change or why is it happening??? thanks for your time and help. ___ Halloween Humour: What do you call a skeleton that pushes your doorbell? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=136 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connection problems
hi list, well i use debian etch, kernel 2.6.15.6, madwifi-ng-r1475, freeradius 1.1.0, hostapd 0.5.2 and a linksys wmp55ag as wireless adaptor. i can put it as access point, but have a big problem. if only set access point without security or using wep, clients disconnect after 2-8 minutes and cann't reconnect, only if ap is reseted. so i used hostapd to set WPA-PSK and link was very stable for hours. now set WPA-EAP and using freeradius configured PEAP. it worked very well for 8 days. stable, only connection delay was too large, but it worked. after 8 days, clients deauthenticate and reauthenticate each 3-5 minutes. i think it's related to madwifi, because of first problem i described. any body has same behavior?? if so, how could it be solved?? it's an annoying, clients are working and suddenly they lost connection and must wait until it was re-established, it takes from 1 to 10 minutes to complete, if so. do you have any idea?? thanks for your help ___ Halloween Trivia: What is 'Samhainophobia' a fear of? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=118 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
If you plan to use freeradius+mysql on debian I suggest you just install the packages that come with it. It's not really necessary to compile it yourself.. Thanks Peter, now my question is, i wan to use it to add security to a wlan and use hostapd and driver madwifi, so, it is not necessary to compile freeradius??, i use openssl to create certificates (use eap-peap). Second, do you know any way to uninstall freeradius in debian?? thanks again. ___ What major city is located on the mouth of the Pasig river and the head of a bay with the same name as the city? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=169 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
frontend for freeradius???
hi list, i have a question, are there any freeradius frontend to administer users, but which don't assume i have ldap or mysql?? my users are only in users file, i reviewed dialup_admin and php radius accounting tool, but both assume i have mysql or ldap, i just want some program with graphical interface to add users and passwords in freeradius, and if possible monitor them. are there something like that?? thanks. ___ In what sea are the Gulf of Bothnia and the Gulf of Finland both located? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=171 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
slow and delayed connection
hi list, well, finally my linux based ap works with wpa-eap, i use debian etch,
madwifi-ng-r1475, freeradius 1.1.0 and hostapd 0.5.2. my ap can authenticate
users and they can connect to wlan, everything ok. but now result they cann't
surf internet because connection is very slow, they cann't inclusive access
google or yahoo, connection is too slow and requests are never completed or
delays among 35-120 seconds. i'm just performing tests, so ap and clients are
in same room.
and when clients authenticating get lots of messages like this:
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 BE_AUTH entering state IDLE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE
WPA: 00:0f:66:11:c1:96 WPA_PTK entering state INITPMK
WPA: PMK from EAPOL state machine (len=32)
WPA: 00:0f:66:11:c1:96 WPA_PTK entering state PTKSTART
ath0: STA 00:0f:66:11:c1:96 WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(secure=0 mic=0 ack=1 install=0 pairwise=1 ie_len=0 gtk_len=0
key idx=0 encr=0)
TX EAPOL - hexdump(len=113): 00 0f 66 11 c1 96 00 0f 66 11 c1 97 88 8e 02 03 00
5f fe 00 89 00 20 00 00 00 00 00 00 00 01 bb a5 40 06 72 ff 43 57 37 d3 d3 67
f1 5c 13 3f 6c 48 d1 fb 14 5a 31 ce b2 ce 47 a9 96 20 a5 20 00 00 00 00 00 00
00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and authentication delays 2 minutes, is it normal??
using ethereal to monitor wlan get a lot (but really many) of messages like
this:
SOURCE DESTINATION PROTOCOL INFO
Cisco-Li_11:c1:96 192.168.50.1 MDS HEADER[Malformed
Packet]
where 192.168.50.1 is ap's ip direction.
these are my configuration files:
MADWIFI:
rmmod ath_pci
modprobe ath_pci autocreate=ap
ifconfig ath0 up
iwpriv ath0 mode 3
iwconfig ath0 essid MYWLAN
iwconfig ath0 channel auto
iwconfig ath0 bitrate 54M
echo 1 /proc/sys/net/ipv4/ip_forward
/etc/init.d/networking restart
IPTABLES=/sbin/iptables
$IPTABLES -F -t nat
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
/etc/init.d/dhcp restart
HOSTAPD:
interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=1
debug=4
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=MYWLAN
macaddr_acl=0
auth_algs=1
ieee8021x=1
eap_server=0
own_ip_addr=127.0.0.1
nas_identifier=www.srvw1.com
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=mywlan
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=mywlan
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
wpa_group_rekey=300
wpa_gmk_rekey=640
I think it's behavior is related to freeradius because i tested using only
hostapd with psk and without securities and everything was right, speed
connection and everything fine, but activating freeradius speed connection is
very poor.
so is in freeradius any parameter i should activate or change to avoid this
problem??
these are freeradius configuration files:
USERS:
User1
DEFAULT Auth-Type = EAP
Fall-Through = 1
CLIENTS:
client 192.168.50.0/24 {
secret = mywlan
shortname = MYWLAN
}
EAP:
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
will this work?
hi everybody, i use debian sarge, madwifi-ng-r1457, hostapd 0.4.8 and
freeradius 1.1, i want to use eap-tls, is there any special configuration or
patch should be applied to any of this programs to get them work? i tried
configurations from madwifi users docs and many tutorials, but nothing works.
simply clients cann't authenticate, always get: Access-Reject.
these are my conf files:
MADWIFI:
modprobe ath_pci autocreate=ap
wlanconfig ath0 create wlandev wifi0 wlanmode ap
ifconfig ath0 up
iwpriv ath0 mode 3
iwconfig ath0 essid MYWLAN
iwconfig ath0 channel 2
iwconfig ath0 bitrate 54M
iwconfig ath0 frag 512
iwconfig ath0 rts 250
iwpriv ath0 ar 1
echo 1 /proc/sys/net/ipv4/ip_forward
/etc/init.d/networking restart
IPTABLES=/sbin/iptables
$IPTABLES -F -t nat
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
/etc/init.d/dhcp stop
/etc/init.d/dhcp start
DHCP:
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.2 192.168.10.30;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
default-lease-time 600;
max-lease-time 7200;
}
HOSTAPD:
interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=MYWLAN
macaddr_acl=0
auth_algs=3
ieee8021x=1
eap_message=hello
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
nas_identifier=www.server.com
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=whatever
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=whatever
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
wpa_strict_rekey=1
wpa_gmk_rekey=86400
DEFAULT HOSTAPD:
#RUN_DAEMON=yes
RADIUS USERS:
pupis
DEFAULT Auth-Type = System
Fall-Through = 1
here i tried too: DEFAULT Auth-Type = EAP
Fall-Through = 1
each one alone, and together.
RADIUS CLIENTS.CONF:
client 127.0.0.1 {
secret = whatever
shortname = www.server.com
}
RADIUS EAP.CONF:
default_eap_type = tls
tls {
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
when i run, get this:
hostapd logs:
Sending RADIUS message to accounting server
RADIUS message: code=4 (Accounting-Request) identifier=0 length=88
Attribute 40 (Acct-Status-Type) length=6
Value: 7
Attribute 45 (Acct-Authentic) length=6
Value: 1
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 32 (NAS-Identifier) length=14
Value: 'www.server.com'
Attribute 30 (Called-Station-Id) length=30
Value: '00-0F-66-11-C1-97:MYWLAN'
Attribute 49 (Acct-Terminate-Cause) length=6
Value: 11
Next RADIUS client retransmit in 3 seconds
Flushing old station entries
running locally radtest:
radtest pupis whatever localhost 0 whatever
Sending Access-Request of id 178 to 127.0.0.1 port 1812
User-Name = pupis
User-Password = whatever
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=178, length=20
by the way, i cann't run radclient or radeapclient, when use it, don't get any
response.
but now, winxp clients don't detect this wlan as activated with wpa, only wlan
without security, and don't get any ip direction, even i'm using dhcp. if i
don't run radius and hostapd then client do get ip direction and can use wlan.
so, my question again is, what should i do to get eap-tls working?? i heard
that may be this won't work with debian, could it be a possible explanation??
i'm really tired , i tried everything i think, and don't know what more should
do.
thanks in advance for your patience.
___
Halloween Humour: What kind of girl does a mummy go out with?
postmaster.co.uk
http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=154
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap don't work
hi everybody, i have problems using freeradius 1.0.5, i cann't get it works
as i hope. well i installed freeradius in my server and tried to see if
clients can authenticate, so first tried test over server, my ip is
192.168.10.1, i generate certificates to use TLS.
this is my users file:
mec01 Auth-Type := EAP
and clients.conf file:
client 192.168.10.1 {
secret = clue
shortname = www.kill.com
}
i tried put in shortname localhost too, but nothing happen
eap.conf file:
tls {
private_key_file = ${raddbdir}/certs/www.kill.com.pem
certificate_file = ${raddbdir}/certs/www.kill.com.pem
CA_file = ${raddbdir}/certs/demoCA/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
...
}
so, i do this:
www:~# radtest mec01 clue www.kill.com 0 clue
Sending Access-Request of id 49 to 192.168.10.1 port 1812
User-Name = mec01
User-Password = clue
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 192.168.10.1:1812, id=49, length=20
in messages from radius i see this:
rad_recv: Access-Request packet from host 192.168.10.1:32768, id=49,
length=62User-Name = mec01
User-Password = clue
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_rmspace_pair: User-Password now 'clue'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = mec01, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1
users: Matched entry mec01 at line 97
modcall[authorize]: module files returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
modcall[authenticate]: module eap returns fail for request 1
modcall: leaving group authenticate (returns fail) for request 1
auth: Failed to validate the user.
Login incorrect: [mec01/clue] (from client localhost port 0)
rad_lowerpair: User-Name now 'mec01'
rad_rmspace_pair: User-Name now 'mec01'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = mec01, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1
users: Matched entry mec01 at line 97
modcall[authorize]: module files returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
modcall[authenticate]: module eap returns fail for request 1
modcall: leaving group authenticate (returns fail) for request 1
auth: Failed to validate the user.
Login incorrect: [mec01/clue] (from client localhost port 0)
Delaying request 1 for 1 seconds
Finished request 1
so i reviewed keys and shared secret and they are correct in server, client
and CA, i even generate them again. i see radius says: rlm_eap:Malformed
EAP Message, so may be i install freeradius in a bad way? or what is
happening? why server don't authenticate users?
thanks in advance.
_
MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap don't work
first of all, thanks so much alan for your quick response Hi, hi everybody, i have problems using freeradius 1.0.5, i cann't get it works as i hope. well i installed freeradius in my server and tried to see if clients can authenticate, so first tried test over server, my ip is 192.168.10.1, i generate certificates to use TLS. this is my users file: mec01 Auth-Type := EAP dont do this. just dont do this at all. read the docs. excuse me, i read many tutorials and all of them says this is correct, so please could you refer me to right doc?? may be freeradius docs? exactly which? and again thanks for your answer. _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems authenticating using madwifi, hostapd and freeradius
hi everybody, well this is a quite large mail: i'm using debian sarge kernel
2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i
want to use eap-tls in my wlan and over my own ap over linux. so i can
install and configure all programs (except hostapd, so instead compile
myself i installed it from .deb format), now i have my certificates and
programs running but when try to connect a windows client it always stops in
this state:Trying to authenticate, and any more happen. i generate
certificates using winxp extensions.
here is my madwifi configuration:
modprobe ath_pci
wlanconfig ath0 create wlandev wifi0 wlanmode ap
ifconfig ath0 up
/etc/init.d/networking restart
IPTABLES=/sbin/iptables
$IPTABLES -F -t nat
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
echo 1 /proc/sys/net/ipv4/ip_forward
/etc/init.d/dhcp restart
iwpriv ath0 mode 3
iwconfig ath0 essid MYWLAN
iwconfig ath0 channel 5
iwconfig ath0 bitrate 54M
iwconfig ath0 frag 512
iwconfig ath0 rts 250
and this is my hostapd.conf file:
interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=3
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=MYWLAN
macaddr_acl=0
auth_algs=3
ieee8021x=1
eap_message=hello_clients
eapol_key_index_workaround=0
eap_reauth_period=3600
eap_server=0
auth_server_addr=192.168.50.1
auth_server_port=1812
auth_server_shared_secret=pupis
acct_server_addr=192.168.50.1
acct_server_port=1813
acct_server_shared_secret=pupis
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
wpa_group_rekey=600
rsn_preauth=1
this is clients.conf in radius:
client 192.168.50.0/24 {
secret = pupis
shortname = www.mymachine.com
}
users file:
Administrador Auth-Type := EAP
eap.conf file:
tls {
private_key_file = /root/miscerts/servidor.pem
certificate_file = /root/miscerts/servidor.pem
CA_file = /root/miscerts/cacert.pem
dh_file = /root/miscerts/dh
random_file = /root/miscerts/random
fragment_size = 1024
include_length = yes
check_crl = yes
check_cert_cn = %{User-Name}
}
and this is radiusd.conf file:
user = nobody
group = nobody
bind_address = *
port = 0
here you have an extract from freeradius messages:
Sending Access-Challenge of id 45 to 192.168.50.1:32770
EAP-Message = 0x010c032f0d800325160301004a02
4603014405e74b513e9996de87211edb20c47f40dd002af273747f4f3744
dc22b2a929204cc9d701379ab60764bf9571959b7cf99bf0a051b8079df5
5ff610793318fc25000400160301025c0b0002580002550002523082024e
308201b7a003020102020428022006300d06092a864886f70d0101050500
305f310b3009060355040613024543311330110603550408130a4368696d
626f72617a6f3111300f0603550407130852696f62616d6261310f300d06
0355040a13064553504f4348311730150603550403130e772e61706d
6167612e636f6d301e170d3036303232373135303735335a17
EAP-Message = 0x0d3037303232373135303735335a305f310b
3009060355040613024543311330110603550408130a4368696d626f7261
7a6f3111300f0603550407130852696f62616d6261310f300d060355040a
13064553504f4348311730150603550403130e772e61706d6167612e
636f6d30819f300d06092a864886f70d010101050003818d003081890281
8100b94ddf014e77cbcc5b23133a98b77090353f7b9fba6db33b2cd1510e
8f8c8f533bcec923900dad61e3a0c02e04700c9c95856bdf7d559147a4af
c8cb5c38d410178d9552d322aedcce46483f7dd761e7583b1e6d075cd107
27c0941416b9accb097baaec90b46c04aef567ffd08c4acff6
EAP-Message = 0x88252d81a766ce4e63d9a21c774d97020301
0001a317301530130603551d25040c300a06082b06010505070301300d06
092a864886f70d0101050500038181007f41e4ef50c1c77d450dee7b0b43
72c3cb68163fec851512100ac72fc77d70a83fe87d93d1447842eb919bac
6a0ad112b687550ad520f50e4651cfde1246343e6f458a1501de2e4018db
fbb5658b9da522e6283e3d0ab083e8e344befc0628d3ec0245dc672333ac
e70c8d44d0f1cfce9571c74a4ead43597c4567322e09954e16030100700d
6802010200630061305f310b30090603550406130245433113301106
03550408130a4368696d626f72617a6f3111300f0603550407
EAP-Message = 0x130852696f62616d6261310f300d06035504
0a13064553504f4348311730150603550403130e772e61706d616761
2e636f6d0e00
Message-Authenticator = 0x00 00
State = 0x1a0c83eb55ba1000a03c23980883a7aa
Finished request 54
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.50.1:32770 , id=46,
length=176
User-Name = Administrador
NAS-IP-Address = 192.168.50.1
NAS-Port = 0
Called-Station-Id = 00-0F-66-11-C1-97:MYWLAN
Calling-Station-Id = 00-0F-66-11-C1-96
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020c00060d00
State = 0x1a0c83eb55ba1000a03c23980883a7aa
Message-Authenticator =
authentication failure
hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client it always stops in this state: Trying to authenticate, and any more happen. i generate certificates using winxp extensions and try to export and install them in winxp but always same behavior. clients cann't get ip direction, but before implementing this they could. here you have an extract from freeradius messages: --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.50.1:32771, id=14, length=250 User-Name = Administrador NAS-IP-Address = 192.168.50.1 NAS-Port = 0 Called-Station-Id = 00-0F-66-11-C1-97:WLAN1 Calling-Station-Id = 00-12-F0-BC-C1-68 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x021400500d8000461603010041013d03014403d116c1beab0d54a 903ac411f6de1bd9eaf339bf5ac89f9e0ff0a7410c6881600040005000a0009006400620003000600 13001200630100 State = 0x6780e9b9e7fd2c531421b8437d11c9db Message-Authenticator = 0x11d975fb9373293a13b5a0b3ad2f6f1f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = Administrador, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 20 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry Administrador at line 97 modcall[authorize]: module files returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 025c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0070], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 19 modcall: group authenticate returns handled for request 19 Sending Access-Challenge of id 14 to 192.168.50.1:32771 EAP-Message = 0x0115032f0d800325160301004a0246030144038ac7e0a94b5017e c7050d18c3b7c7de8ae1b639249257f1753c48bc3ddee2014ad227cbde60e2c63a6cf9f2a85ae8ff8ba6a d0b3bca15b0ad6cc8e5e90703d000400160301025c0b0002580002550002523082024e308201b7a003020 102020428022006300d06092a864886f70d0101050500305f310b30090603550406130245433113301106 03550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d0603550 40a13064553504f4348311730150603550403130e772e61706d6167612e636f6d301e170d30363032 32373135303735335a17 EAP-Message = 0x0d3037303232373135303735335a305f310b3009060355040613024543311 330110603550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d 060355040a13064553504f4348311730150603550403130e772e61706d6167612e636f6d30819f300 d06092a864886f70d010101050003818d0030818902818100b94ddf014e77cbcc5b23133a98b77090353f 7b9fba6db33b2cd1510e8f8c8f533bcec923900dad61e3a0c02e04700c9c95856bdf7d559147a4afc8cb5 c38d410178d9552d322aedcce46483f7dd761e7583b1e6d075cd10727c0941416b9accb097baaec90b46c 04aef567ffd08c4acff6 EAP-Message = 0x88252d81a766ce4e63d9a21c774d970203010001a317301530130603551d2 5040c300a06082b06010505070301300d06092a864886f70d0101050500038181007f41e4ef50c1c77d45 0dee7b0b4372c3cb68163fec851512100ac72fc77d70a83fe87d93d1447842eb919bac6a0ad112b687550 ad520f50e4651cfde1246343e6f458a1501de2e4018dbfbb5658b9da522e6283e3d0ab083e8e344befc06
how to confirm locally??
hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client i get this error: Received packet from (my freeradius server ip direction) with invalid Message Authenticator (invalid signature) (shared secret is incorrect). i generate certifictes using winxp extensions. so my question is: is there any way i can test my certificates from freeradius?? any command? or may be install wpa-supplicant over my debian and test from there (authenticator and supplicant in same machine??). If clients try to connect without freeradius and hostapd running it's possible, but with these two programs clients lost immediately ip direction and show a message of Error authenticating. could any body try to help? thanks in advance for your help and time. _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems compiling, but works, or don't??
hi every body, well trying to use freeradius v 1.0.5 to add security to a
wlan, i configured this to use with openssl and eap-tls with this command:
./configure --prefix=/usr/local/
--with-openssl-includes=/usr/local/ssl/include/ --with-experimental-modules
--enable-ltdl-install
when i type make, get this error:
Making static dynamic in rlm_perl...
make[6]: Entering directory `/usr/src/freeradius-1.0.5/src/modules/rlm_perl'
/usr/src/freeradius-1.0.5/libtool --mode=link gcc -release 1.0.5 \
-module -export-dynamic \
-o rlm_perl.la -rpath /usr/local//lib rlm_perl.lo `perl -MExtUtils::Embed -e
ldopts` -lssl -lcrypto -lnsl -lresolv -lpthread
*** Warning: Linking the shared library rlm_perl.la against the
*** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not
portable!
rm -fr .libs/rlm_perl.la .libs/rlm_perl.* .libs/rlm_perl-1.0.5.*
gcc -shared rlm_perl.lo -L/usr/local/lib
/usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE
-lperl -ldl -lm -lpthread -lc -lcrypt -lssl -lcrypto -lnsl -lresolv
-lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.0.5.so -o
.libs/rlm_perl-1.0.5.so
/usr/bin/ld: cannot find -lperl
collect2: ld returned 1 exit status
make[6]: *** [rlm_perl.la] Error 1
make[6]: Leaving directory `/usr/src/freeradius-1.0.5/src/modules/rlm_perl'
make[5]: *** [common] Error 2
make[5]: Leaving directory `/usr/src/freeradius-1.0.5/src/modules'
make[4]: *** [all] Error 2
make[4]: Leaving directory `/usr/src/freeradius-1.0.5/src/modules'
make[3]: *** [common] Error 2
make[3]: Leaving directory `/usr/src/freeradius-1.0.5/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/usr/src/freeradius-1.0.5/src'
make[1]: *** [common] Error 2
make[1]: Leaving directory `/usr/src/freeradius-1.0.5'
make: *** [all] Error 2
i have installed libsdl-perl and in
/usr/src/freeradius-1.0.5/src/modules/rlm_eap/types/rlm_eap_tls/Makefile i
have this:
TARGET = rlm_eap_tls
SRCS= rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c
RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/ssl/include/
HEADERS = eap_tls.h
RLM_INSTALL =
RLM_LDFLAGS += -I/usr/local/ssl/lib
RLM_LIBS+= -lssl -lcrypto
$(STATIC_OBJS): $(HEADERS)
$(DYNAMIC_OBJS): $(HEADERS)
RLM_DIR=../../
include ${RLM_DIR}../rules.mak
well why this error occurs and how could i solve?? i just can install if
don't compile with --with-experimental-modules, so what happen if i don't
use those experimental modules?? could freeradius work in my wlan as i hope?
thanks in advance for your time.
_
Charla con tus amigos en línea mediante MSN Messenger:
http://messenger.latam.msn.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
before freeradius, openssl don't work
hi everybody, well still trying to use freeradius for a wlan. i use debian sarge kernel 2.6.13, openssl 0.9.8.a to generate certificates and last freeradius version. well i followed many tutorials about securing wlans with freeradius and all of them have this step: openssl rsa newreq.pem servidor-key.pem but when i type this my system returns: unable to load Private Key 5237:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY so i think it's a problem with rsa generation and tried to generate rsa key but always get same error. i know it's not a list of openssl but i posted this question in openssl list and nobody ask; searched in internet and nothing; so, any body could help?? what is happening and how could i solve this?? excuse if this so trivial but i'm new with both, openssl and freeradius and don't understand what is happening and why. thanks in advance for your time and help. _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl fails
hi everybody, well finally get install openssl v0.9.8a, now when i try to
generate certificates to be used with freeradius (eap-tls or eap-peap) i use
these command to CERTIFICATE AUTHORITY GENERATION:
#openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin
pass:clue1 -passout pass:clue1
#openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:clue1 -passout pass:clue1
#openssl pkcs12 -in root.p12 -out root.pem -passin pass:clue1 -passout
pass:clue1
(i copied root.p12 from freeradius files)
#openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#rm -rf newreq.pem
and these to SERVER CERTIFICATE GENERATION:
#openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever
-passout pass:clue1
#openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever
-key whatever -extensions xpserver_ext -extfile xpextensions -infiles
newreq.pem
right here, when using this command i get this error:
Error opening CA private key ./demoCA/private/cakey.pem
4161:error:02001002:system library:fopen:No such file or
directory:bss_file.c:349:fopen ('./demoCA/private/cakey.pem' ,'r')
4161:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
unable to load CA private key
well i really don't understand what this mean but reviewed
./demoCA/private/cakey.pem and effectively it's there, so why openssl cann't
locate it?? why unable to load CA private key??
so, i tried this:
#openssl x509 -inform PEM -outform DER -in demoCA/cacert.pem -out
demoCA/cacert.der
but now get this:
4201:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE
excuse if this question is so trivial but i really don't understand it.
could any body help and tell me what is happening?? thanks for your patience
and help.
_
Las mejores tiendas, los precios mas bajos, entregas en todo el mundo,
YupiMSN Compras: http://latam.msn.com/compras/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem compiling
hi everybody, well i downloaded last version of freeradius and want to use with openssl, so i tried to compile using: --with-experimental-modules --enable-ltdl-install but i get an error and is impossible to compile, i must delete these options. when i try to run server then i get this: rlm_eap:Failed to link EAP-TYPE/TLS:rlm_eap_tls.so: cannot open shared object: no such file or directory radiusd[9] my configurations point to openssl locations, so why i cann't compile and why this error?? ok, thanks for your time. _ Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: http://latam.msn.com/compras/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
failed eap-type/tls???
hi everybody, well i'm trying to implement an ap over linux, i use
madwifi-ng, debian sarge kernel 2.6.13 and freeradius supplied with debian
installation cd's; i'd like to add more security so i decided to use hostapd
and freeradius, first i generate my own certificates using openssl, and my
hostapd configuration refer to freeradius files and directories; here is my
radiusd.conf file:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = root
group = root
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 192.168.50.1
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = before
lower_pass = before
nospace_user = before
nospace_pass = before
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = ldap.your.domain
basedn = o=My Org,c=UA
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = no
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = /bin/echo %{User-Name}
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type
