dial-up admin and authentication time
hi list, i have 2 questions, hope could help. 1) trying to use dial-up admin in my wlan, i installed it and created tables, first filled them manually with some users, later filled new users using dial-up interface, but i only can see first user's statistics, any other user, even connected, is not show. any body knows where am i failing?? 2) time of authentication is too long, i guess, i use madwifi and hostapd, first time clients connect authentication could take 5-6 minutes, after 10 minutes they are disconnected (don't know why) and re-authenticated, it takes now, 1-2 minutes. are there any parameter i should change or why is it happening??? thanks for your time and help. ___ Halloween Humour: What do you call a skeleton that pushes your doorbell? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=136 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connection problems
hi list, well i use debian etch, kernel 2.6.15.6, madwifi-ng-r1475, freeradius 1.1.0, hostapd 0.5.2 and a linksys wmp55ag as wireless adaptor. i can put it as access point, but have a big problem. if only set access point without security or using wep, clients disconnect after 2-8 minutes and cann't reconnect, only if ap is reseted. so i used hostapd to set WPA-PSK and link was very stable for hours. now set WPA-EAP and using freeradius configured PEAP. it worked very well for 8 days. stable, only connection delay was too large, but it worked. after 8 days, clients deauthenticate and reauthenticate each 3-5 minutes. i think it's related to madwifi, because of first problem i described. any body has same behavior?? if so, how could it be solved?? it's an annoying, clients are working and suddenly they lost connection and must wait until it was re-established, it takes from 1 to 10 minutes to complete, if so. do you have any idea?? thanks for your help ___ Halloween Trivia: What is 'Samhainophobia' a fear of? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=118 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
If you plan to use freeradius+mysql on debian I suggest you just install the packages that come with it. It's not really necessary to compile it yourself.. Thanks Peter, now my question is, i wan to use it to add security to a wlan and use hostapd and driver madwifi, so, it is not necessary to compile freeradius??, i use openssl to create certificates (use eap-peap). Second, do you know any way to uninstall freeradius in debian?? thanks again. ___ What major city is located on the mouth of the Pasig river and the head of a bay with the same name as the city? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=169 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
frontend for freeradius???
hi list, i have a question, are there any freeradius frontend to administer users, but which don't assume i have ldap or mysql?? my users are only in users file, i reviewed dialup_admin and php radius accounting tool, but both assume i have mysql or ldap, i just want some program with graphical interface to add users and passwords in freeradius, and if possible monitor them. are there something like that?? thanks. ___ In what sea are the Gulf of Bothnia and the Gulf of Finland both located? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=171 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
slow and delayed connection
hi list, well, finally my linux based ap works with wpa-eap, i use debian etch, madwifi-ng-r1475, freeradius 1.1.0 and hostapd 0.5.2. my ap can authenticate users and they can connect to wlan, everything ok. but now result they cann't surf internet because connection is very slow, they cann't inclusive access google or yahoo, connection is too slow and requests are never completed or delays among 35-120 seconds. i'm just performing tests, so ap and clients are in same room. and when clients authenticating get lots of messages like this: IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 BE_AUTH entering state IDLE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:0f:66:11:c1:96 REAUTH_TIMER entering state INITIALIZE WPA: 00:0f:66:11:c1:96 WPA_PTK entering state INITPMK WPA: PMK from EAPOL state machine (len=32) WPA: 00:0f:66:11:c1:96 WPA_PTK entering state PTKSTART ath0: STA 00:0f:66:11:c1:96 WPA: sending 1/4 msg of 4-Way Handshake WPA: Send EAPOL(secure=0 mic=0 ack=1 install=0 pairwise=1 ie_len=0 gtk_len=0 key idx=0 encr=0) TX EAPOL - hexdump(len=113): 00 0f 66 11 c1 96 00 0f 66 11 c1 97 88 8e 02 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 01 bb a5 40 06 72 ff 43 57 37 d3 d3 67 f1 5c 13 3f 6c 48 d1 fb 14 5a 31 ce b2 ce 47 a9 96 20 a5 20 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 and authentication delays 2 minutes, is it normal?? using ethereal to monitor wlan get a lot (but really many) of messages like this: SOURCE DESTINATION PROTOCOL INFO Cisco-Li_11:c1:96 192.168.50.1 MDS HEADER[Malformed Packet] where 192.168.50.1 is ap's ip direction. these are my configuration files: MADWIFI: rmmod ath_pci modprobe ath_pci autocreate=ap ifconfig ath0 up iwpriv ath0 mode 3 iwconfig ath0 essid MYWLAN iwconfig ath0 channel auto iwconfig ath0 bitrate 54M echo 1 /proc/sys/net/ipv4/ip_forward /etc/init.d/networking restart IPTABLES=/sbin/iptables $IPTABLES -F -t nat $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE /etc/init.d/dhcp restart HOSTAPD: interface=ath0 driver=madwifi logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=1 debug=4 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=MYWLAN macaddr_acl=0 auth_algs=1 ieee8021x=1 eap_server=0 own_ip_addr=127.0.0.1 nas_identifier=www.srvw1.com auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=mywlan acct_server_addr=127.0.0.1 acct_server_port=1813 acct_server_shared_secret=mywlan wpa=1 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP wpa_group_rekey=300 wpa_gmk_rekey=640 I think it's behavior is related to freeradius because i tested using only hostapd with psk and without securities and everything was right, speed connection and everything fine, but activating freeradius speed connection is very poor. so is in freeradius any parameter i should activate or change to avoid this problem?? these are freeradius configuration files: USERS: User1 DEFAULT Auth-Type = EAP Fall-Through = 1 CLIENTS: client 192.168.50.0/24 { secret = mywlan shortname = MYWLAN } EAP: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no
will this work?
hi everybody, i use debian sarge, madwifi-ng-r1457, hostapd 0.4.8 and freeradius 1.1, i want to use eap-tls, is there any special configuration or patch should be applied to any of this programs to get them work? i tried configurations from madwifi users docs and many tutorials, but nothing works. simply clients cann't authenticate, always get: Access-Reject. these are my conf files: MADWIFI: modprobe ath_pci autocreate=ap wlanconfig ath0 create wlandev wifi0 wlanmode ap ifconfig ath0 up iwpriv ath0 mode 3 iwconfig ath0 essid MYWLAN iwconfig ath0 channel 2 iwconfig ath0 bitrate 54M iwconfig ath0 frag 512 iwconfig ath0 rts 250 iwpriv ath0 ar 1 echo 1 /proc/sys/net/ipv4/ip_forward /etc/init.d/networking restart IPTABLES=/sbin/iptables $IPTABLES -F -t nat $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE /etc/init.d/dhcp stop /etc/init.d/dhcp start DHCP: subnet 192.168.10.0 netmask 255.255.255.0 { range 192.168.10.2 192.168.10.30; option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; default-lease-time 600; max-lease-time 7200; } HOSTAPD: interface=ath0 driver=madwifi logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 debug=4 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=MYWLAN macaddr_acl=0 auth_algs=3 ieee8021x=1 eap_message=hello eapol_key_index_workaround=0 own_ip_addr=127.0.0.1 nas_identifier=www.server.com auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=whatever acct_server_addr=127.0.0.1 acct_server_port=1813 acct_server_shared_secret=whatever wpa=1 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP wpa_strict_rekey=1 wpa_gmk_rekey=86400 DEFAULT HOSTAPD: #RUN_DAEMON=yes RADIUS USERS: pupis DEFAULT Auth-Type = System Fall-Through = 1 here i tried too: DEFAULT Auth-Type = EAP Fall-Through = 1 each one alone, and together. RADIUS CLIENTS.CONF: client 127.0.0.1 { secret = whatever shortname = www.server.com } RADIUS EAP.CONF: default_eap_type = tls tls { certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } when i run, get this: hostapd logs: Sending RADIUS message to accounting server RADIUS message: code=4 (Accounting-Request) identifier=0 length=88 Attribute 40 (Acct-Status-Type) length=6 Value: 7 Attribute 45 (Acct-Authentic) length=6 Value: 1 Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 32 (NAS-Identifier) length=14 Value: 'www.server.com' Attribute 30 (Called-Station-Id) length=30 Value: '00-0F-66-11-C1-97:MYWLAN' Attribute 49 (Acct-Terminate-Cause) length=6 Value: 11 Next RADIUS client retransmit in 3 seconds Flushing old station entries running locally radtest: radtest pupis whatever localhost 0 whatever Sending Access-Request of id 178 to 127.0.0.1 port 1812 User-Name = pupis User-Password = whatever NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=178, length=20 by the way, i cann't run radclient or radeapclient, when use it, don't get any response. but now, winxp clients don't detect this wlan as activated with wpa, only wlan without security, and don't get any ip direction, even i'm using dhcp. if i don't run radius and hostapd then client do get ip direction and can use wlan. so, my question again is, what should i do to get eap-tls working?? i heard that may be this won't work with debian, could it be a possible explanation?? i'm really tired , i tried everything i think, and don't know what more should do. thanks in advance for your patience. ___ Halloween Humour: What kind of girl does a mummy go out with? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=154 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap don't work
hi everybody, i have problems using freeradius 1.0.5, i cann't get it works as i hope. well i installed freeradius in my server and tried to see if clients can authenticate, so first tried test over server, my ip is 192.168.10.1, i generate certificates to use TLS. this is my users file: mec01 Auth-Type := EAP and clients.conf file: client 192.168.10.1 { secret = clue shortname = www.kill.com } i tried put in shortname localhost too, but nothing happen eap.conf file: tls { private_key_file = ${raddbdir}/certs/www.kill.com.pem certificate_file = ${raddbdir}/certs/www.kill.com.pem CA_file = ${raddbdir}/certs/demoCA/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 ... } so, i do this: www:~# radtest mec01 clue www.kill.com 0 clue Sending Access-Request of id 49 to 192.168.10.1 port 1812 User-Name = mec01 User-Password = clue NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 192.168.10.1:1812, id=49, length=20 in messages from radius i see this: rad_recv: Access-Request packet from host 192.168.10.1:32768, id=49, length=62User-Name = mec01 User-Password = clue NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_rmspace_pair: User-Password now 'clue' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = mec01, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry mec01 at line 97 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 1 modcall: leaving group authenticate (returns fail) for request 1 auth: Failed to validate the user. Login incorrect: [mec01/clue] (from client localhost port 0) rad_lowerpair: User-Name now 'mec01' rad_rmspace_pair: User-Name now 'mec01' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = mec01, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry mec01 at line 97 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 1 modcall: leaving group authenticate (returns fail) for request 1 auth: Failed to validate the user. Login incorrect: [mec01/clue] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 so i reviewed keys and shared secret and they are correct in server, client and CA, i even generate them again. i see radius says: rlm_eap:Malformed EAP Message, so may be i install freeradius in a bad way? or what is happening? why server don't authenticate users? thanks in advance. _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap don't work
first of all, thanks so much alan for your quick response Hi, hi everybody, i have problems using freeradius 1.0.5, i cann't get it works as i hope. well i installed freeradius in my server and tried to see if clients can authenticate, so first tried test over server, my ip is 192.168.10.1, i generate certificates to use TLS. this is my users file: mec01 Auth-Type := EAP dont do this. just dont do this at all. read the docs. excuse me, i read many tutorials and all of them says this is correct, so please could you refer me to right doc?? may be freeradius docs? exactly which? and again thanks for your answer. _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems authenticating using madwifi, hostapd and freeradius
hi everybody, well this is a quite large mail: i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client it always stops in this state:Trying to authenticate, and any more happen. i generate certificates using winxp extensions. here is my madwifi configuration: modprobe ath_pci wlanconfig ath0 create wlandev wifi0 wlanmode ap ifconfig ath0 up /etc/init.d/networking restart IPTABLES=/sbin/iptables $IPTABLES -F -t nat $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward /etc/init.d/dhcp restart iwpriv ath0 mode 3 iwconfig ath0 essid MYWLAN iwconfig ath0 channel 5 iwconfig ath0 bitrate 54M iwconfig ath0 frag 512 iwconfig ath0 rts 250 and this is my hostapd.conf file: interface=ath0 driver=madwifi logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 debug=3 ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=MYWLAN macaddr_acl=0 auth_algs=3 ieee8021x=1 eap_message=hello_clients eapol_key_index_workaround=0 eap_reauth_period=3600 eap_server=0 auth_server_addr=192.168.50.1 auth_server_port=1812 auth_server_shared_secret=pupis acct_server_addr=192.168.50.1 acct_server_port=1813 acct_server_shared_secret=pupis wpa=1 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP wpa_group_rekey=600 rsn_preauth=1 this is clients.conf in radius: client 192.168.50.0/24 { secret = pupis shortname = www.mymachine.com } users file: Administrador Auth-Type := EAP eap.conf file: tls { private_key_file = /root/miscerts/servidor.pem certificate_file = /root/miscerts/servidor.pem CA_file = /root/miscerts/cacert.pem dh_file = /root/miscerts/dh random_file = /root/miscerts/random fragment_size = 1024 include_length = yes check_crl = yes check_cert_cn = %{User-Name} } and this is radiusd.conf file: user = nobody group = nobody bind_address = * port = 0 here you have an extract from freeradius messages: Sending Access-Challenge of id 45 to 192.168.50.1:32770 EAP-Message = 0x010c032f0d800325160301004a02 4603014405e74b513e9996de87211edb20c47f40dd002af273747f4f3744 dc22b2a929204cc9d701379ab60764bf9571959b7cf99bf0a051b8079df5 5ff610793318fc25000400160301025c0b0002580002550002523082024e 308201b7a003020102020428022006300d06092a864886f70d0101050500 305f310b3009060355040613024543311330110603550408130a4368696d 626f72617a6f3111300f0603550407130852696f62616d6261310f300d06 0355040a13064553504f4348311730150603550403130e772e61706d 6167612e636f6d301e170d3036303232373135303735335a17 EAP-Message = 0x0d3037303232373135303735335a305f310b 3009060355040613024543311330110603550408130a4368696d626f7261 7a6f3111300f0603550407130852696f62616d6261310f300d060355040a 13064553504f4348311730150603550403130e772e61706d6167612e 636f6d30819f300d06092a864886f70d010101050003818d003081890281 8100b94ddf014e77cbcc5b23133a98b77090353f7b9fba6db33b2cd1510e 8f8c8f533bcec923900dad61e3a0c02e04700c9c95856bdf7d559147a4af c8cb5c38d410178d9552d322aedcce46483f7dd761e7583b1e6d075cd107 27c0941416b9accb097baaec90b46c04aef567ffd08c4acff6 EAP-Message = 0x88252d81a766ce4e63d9a21c774d97020301 0001a317301530130603551d25040c300a06082b06010505070301300d06 092a864886f70d0101050500038181007f41e4ef50c1c77d450dee7b0b43 72c3cb68163fec851512100ac72fc77d70a83fe87d93d1447842eb919bac 6a0ad112b687550ad520f50e4651cfde1246343e6f458a1501de2e4018db fbb5658b9da522e6283e3d0ab083e8e344befc0628d3ec0245dc672333ac e70c8d44d0f1cfce9571c74a4ead43597c4567322e09954e16030100700d 6802010200630061305f310b30090603550406130245433113301106 03550408130a4368696d626f72617a6f3111300f0603550407 EAP-Message = 0x130852696f62616d6261310f300d06035504 0a13064553504f4348311730150603550403130e772e61706d616761 2e636f6d0e00 Message-Authenticator = 0x00 00 State = 0x1a0c83eb55ba1000a03c23980883a7aa Finished request 54 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.50.1:32770 , id=46, length=176 User-Name = Administrador NAS-IP-Address = 192.168.50.1 NAS-Port = 0 Called-Station-Id = 00-0F-66-11-C1-97:MYWLAN Calling-Station-Id = 00-0F-66-11-C1-96 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020c00060d00 State = 0x1a0c83eb55ba1000a03c23980883a7aa Message-Authenticator =
authentication failure
hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client it always stops in this state: Trying to authenticate, and any more happen. i generate certificates using winxp extensions and try to export and install them in winxp but always same behavior. clients cann't get ip direction, but before implementing this they could. here you have an extract from freeradius messages: --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.50.1:32771, id=14, length=250 User-Name = Administrador NAS-IP-Address = 192.168.50.1 NAS-Port = 0 Called-Station-Id = 00-0F-66-11-C1-97:WLAN1 Calling-Station-Id = 00-12-F0-BC-C1-68 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x021400500d8000461603010041013d03014403d116c1beab0d54a 903ac411f6de1bd9eaf339bf5ac89f9e0ff0a7410c6881600040005000a0009006400620003000600 13001200630100 State = 0x6780e9b9e7fd2c531421b8437d11c9db Message-Authenticator = 0x11d975fb9373293a13b5a0b3ad2f6f1f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = Administrador, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 20 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry Administrador at line 97 modcall[authorize]: module files returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 025c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0070], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 19 modcall: group authenticate returns handled for request 19 Sending Access-Challenge of id 14 to 192.168.50.1:32771 EAP-Message = 0x0115032f0d800325160301004a0246030144038ac7e0a94b5017e c7050d18c3b7c7de8ae1b639249257f1753c48bc3ddee2014ad227cbde60e2c63a6cf9f2a85ae8ff8ba6a d0b3bca15b0ad6cc8e5e90703d000400160301025c0b0002580002550002523082024e308201b7a003020 102020428022006300d06092a864886f70d0101050500305f310b30090603550406130245433113301106 03550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d0603550 40a13064553504f4348311730150603550403130e772e61706d6167612e636f6d301e170d30363032 32373135303735335a17 EAP-Message = 0x0d3037303232373135303735335a305f310b3009060355040613024543311 330110603550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d 060355040a13064553504f4348311730150603550403130e772e61706d6167612e636f6d30819f300 d06092a864886f70d010101050003818d0030818902818100b94ddf014e77cbcc5b23133a98b77090353f 7b9fba6db33b2cd1510e8f8c8f533bcec923900dad61e3a0c02e04700c9c95856bdf7d559147a4afc8cb5 c38d410178d9552d322aedcce46483f7dd761e7583b1e6d075cd10727c0941416b9accb097baaec90b46c 04aef567ffd08c4acff6 EAP-Message = 0x88252d81a766ce4e63d9a21c774d970203010001a317301530130603551d2 5040c300a06082b06010505070301300d06092a864886f70d0101050500038181007f41e4ef50c1c77d45 0dee7b0b4372c3cb68163fec851512100ac72fc77d70a83fe87d93d1447842eb919bac6a0ad112b687550 ad520f50e4651cfde1246343e6f458a1501de2e4018dbfbb5658b9da522e6283e3d0ab083e8e344befc06
how to confirm locally??
hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client i get this error: Received packet from (my freeradius server ip direction) with invalid Message Authenticator (invalid signature) (shared secret is incorrect). i generate certifictes using winxp extensions. so my question is: is there any way i can test my certificates from freeradius?? any command? or may be install wpa-supplicant over my debian and test from there (authenticator and supplicant in same machine??). If clients try to connect without freeradius and hostapd running it's possible, but with these two programs clients lost immediately ip direction and show a message of Error authenticating. could any body try to help? thanks in advance for your help and time. _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems compiling, but works, or don't??
hi every body, well trying to use freeradius v 1.0.5 to add security to a wlan, i configured this to use with openssl and eap-tls with this command: ./configure --prefix=/usr/local/ --with-openssl-includes=/usr/local/ssl/include/ --with-experimental-modules --enable-ltdl-install when i type make, get this error: Making static dynamic in rlm_perl... make[6]: Entering directory `/usr/src/freeradius-1.0.5/src/modules/rlm_perl' /usr/src/freeradius-1.0.5/libtool --mode=link gcc -release 1.0.5 \ -module -export-dynamic \ -o rlm_perl.la -rpath /usr/local//lib rlm_perl.lo `perl -MExtUtils::Embed -e ldopts` -lssl -lcrypto -lnsl -lresolv -lpthread *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! rm -fr .libs/rlm_perl.la .libs/rlm_perl.* .libs/rlm_perl-1.0.5.* gcc -shared rlm_perl.lo -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lpthread -lc -lcrypt -lssl -lcrypto -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.0.5.so -o .libs/rlm_perl-1.0.5.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory `/usr/src/freeradius-1.0.5/src/modules/rlm_perl' make[5]: *** [common] Error 2 make[5]: Leaving directory `/usr/src/freeradius-1.0.5/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/src/freeradius-1.0.5/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/usr/src/freeradius-1.0.5/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/src/freeradius-1.0.5/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/usr/src/freeradius-1.0.5' make: *** [all] Error 2 i have installed libsdl-perl and in /usr/src/freeradius-1.0.5/src/modules/rlm_eap/types/rlm_eap_tls/Makefile i have this: TARGET = rlm_eap_tls SRCS= rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/ssl/include/ HEADERS = eap_tls.h RLM_INSTALL = RLM_LDFLAGS += -I/usr/local/ssl/lib RLM_LIBS+= -lssl -lcrypto $(STATIC_OBJS): $(HEADERS) $(DYNAMIC_OBJS): $(HEADERS) RLM_DIR=../../ include ${RLM_DIR}../rules.mak well why this error occurs and how could i solve?? i just can install if don't compile with --with-experimental-modules, so what happen if i don't use those experimental modules?? could freeradius work in my wlan as i hope? thanks in advance for your time. _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
before freeradius, openssl don't work
hi everybody, well still trying to use freeradius for a wlan. i use debian sarge kernel 2.6.13, openssl 0.9.8.a to generate certificates and last freeradius version. well i followed many tutorials about securing wlans with freeradius and all of them have this step: openssl rsa newreq.pem servidor-key.pem but when i type this my system returns: unable to load Private Key 5237:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY so i think it's a problem with rsa generation and tried to generate rsa key but always get same error. i know it's not a list of openssl but i posted this question in openssl list and nobody ask; searched in internet and nothing; so, any body could help?? what is happening and how could i solve this?? excuse if this so trivial but i'm new with both, openssl and freeradius and don't understand what is happening and why. thanks in advance for your time and help. _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl fails
hi everybody, well finally get install openssl v0.9.8a, now when i try to generate certificates to be used with freeradius (eap-tls or eap-peap) i use these command to CERTIFICATE AUTHORITY GENERATION: #openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:clue1 -passout pass:clue1 #openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:clue1 -passout pass:clue1 #openssl pkcs12 -in root.p12 -out root.pem -passin pass:clue1 -passout pass:clue1 (i copied root.p12 from freeradius files) #openssl x509 -inform PEM -outform DER -in root.pem -out root.der #rm -rf newreq.pem and these to SERVER CERTIFICATE GENERATION: #openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:clue1 #openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem right here, when using this command i get this error: Error opening CA private key ./demoCA/private/cakey.pem 4161:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen ('./demoCA/private/cakey.pem' ,'r') 4161:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351: unable to load CA private key well i really don't understand what this mean but reviewed ./demoCA/private/cakey.pem and effectively it's there, so why openssl cann't locate it?? why unable to load CA private key?? so, i tried this: #openssl x509 -inform PEM -outform DER -in demoCA/cacert.pem -out demoCA/cacert.der but now get this: 4201:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE excuse if this question is so trivial but i really don't understand it. could any body help and tell me what is happening?? thanks for your patience and help. _ Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: http://latam.msn.com/compras/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem compiling
hi everybody, well i downloaded last version of freeradius and want to use with openssl, so i tried to compile using: --with-experimental-modules --enable-ltdl-install but i get an error and is impossible to compile, i must delete these options. when i try to run server then i get this: rlm_eap:Failed to link EAP-TYPE/TLS:rlm_eap_tls.so: cannot open shared object: no such file or directory radiusd[9] my configurations point to openssl locations, so why i cann't compile and why this error?? ok, thanks for your time. _ Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: http://latam.msn.com/compras/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
failed eap-type/tls???
hi everybody, well i'm trying to implement an ap over linux, i use madwifi-ng, debian sarge kernel 2.6.13 and freeradius supplied with debian installation cd's; i'd like to add more security so i decided to use hostapd and freeradius, first i generate my own certificates using openssl, and my hostapd configuration refer to freeradius files and directories; here is my radiusd.conf file: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = root group = root max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 192.168.50.1 port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = before lower_pass = before nospace_user = before nospace_pass = before security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = ldap.your.domain basedn = o=My Org,c=UA filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = / ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = % ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = no check_with_nas = yes perm = 0600 callerid = yes } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = no } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = /bin/echo %{User-Name} input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type