Re: EAP PEAP, unable to load certificate
Nick Larsen [EMAIL PROTECTED] wrote: Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again. No. Run the server in debugging mode, and post the output here. That message happens ONLY if you forcibly set Auth-Type = Local when it doesn't make sense to do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
Hi,I have forcibly set Auth-Type to Local, so perhaps that's the problem.Here's my debug output anyway...rad_recv: Access-Request packet from host 10.10.1.199:1812, id=1, length=73 User-Name = nick Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010009016e69636b NAS-IP-Address = 10.10.1.199 Message-Authenticator = 0xa2632b22341f08798a0fca4aa0f457c9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 160 modcall[authorize]: module preprocess returns ok for request 160 modcall[authorize]: module chap returns noop for request 160 modcall[authorize]: module mschap returns noop for request 160 rlm_realm: No '@' in User-Name = nick, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 160 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 160 radius_xlat: 'nick'rlm_sql (sql): sql_set_user escaped user -- 'nick' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'nick' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'nick' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute ,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 160modcall: leaving group authorize (returns updated) for request 160 rad_check_password: Found Auth-Type Local auth: type Localauth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.Login incorrect: [nick] (from client Finc-Wireless port 0) Delaying request 160 for 1 seconds Finished request 160Going to the next request --- Walking the entire request list ---Waking up in 1 seconds... --- Walking the entire request list ---Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 10.10.1.199 port 1812Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 160 ID 1 with timestamp 44f357bfNothing to do. Sleeping until we see a request.Cheers for your help, Nick LarsenOn 8/29/06, Alan DeKok [EMAIL PROTECTED] wrote: Nick Larsen [EMAIL PROTECTED] wrote: Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again.No.Run the server in debugging mode, and post the output here.That message happens ONLY if you forcibly set Auth-Type = Local when it doesn't make sense to do so.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards,Nick LarsenWellingtonNEW ZEALAND - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
Hi,Thanks for that, it worked wonders. I also had to recreate some certificates properly.Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again. Thanks again,Nick LarsenOn 8/25/06, K. Hoercher [EMAIL PROTECTED] wrote: On 8/25/06, Nick Larsen [EMAIL PROTECTED] wrote:tls: certificate_file = (null)You have to fill in this information. See the comment in eap.confabove the pertinent line.regardsK. Hoercher-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards,Nick LarsenWellingtonNEW ZEALAND - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP PEAP, unable to load certificate
Hi Subscribers,I'm currently setting up a wireless hotspot for a cafe, and am currently stuck with the EAP part in FreeRADIUS.I'm running FreeRADIUS Version 1.1.1 on FreeBSD`uname -a` output: FreeBSD radius02.01.net.nz 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov 2 22:33:15 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC sparc64 I'm trying to connect my i-mate PDA2k (PDA) to the Linksys WAG54g access point. The access point is set up to use WPA-RADIUS, but when I attempt to connect to it from the PDA, It say's the Linksys isn't sending a User-Password or CHAP-Password attribute, so this is where I thought I needed EAP. We want to make is as easy as possible for people with mobile devices to connect to the AP, so I decided to use the PEAP method, which requires tls{} to be enabled.I have created an SSL certificate (CA) and private key file, and put them in /etc/raddb/certs and referenced them correctly in eap.conf under tls{} but when I enable peap{} I get the following output from radiusd -XA:(On the 8th to last line, you'll see fopen, and it has nothing between the quotes in the 1st argument.)Starting - reading configuration files ... reread_config: reading radiusd.confConfig: including file: /etc/raddb/clients.confConfig: including file: /etc/raddb/snmp.confConfig: including file: /etc/raddb/eap.confConfig: including file: /etc/raddb/sql.conf main: prefix = /usr/localmain: localstatedir = /varmain: logdir = /var/log/radiusmain: libdir = /usr/local/libmain: radacctdir = /var/log/radius/radacct main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 5120main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = no main: log_file = /var/log/radius/radius.logmain: log_auth = yesmain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /var/run/radiusd/radiusd.pidmain: bind_address = 10.10.1.18 IP address [10.10.1.18]main: user = (null)main: group = (null)main: usercollide = nomain: lower_user = no main: lower_pass = nomain: nospace_user = nomain: nospace_pass = nomain: checkrad = /usr/local/sbin/checkradmain: proxy_requests = nosecurity: max_attributes = 200 security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon. read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = (null) exec: input_pairs = requestexec: output_pairs = (null)exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded SQL Countersqlcounter: counter-name = Daily-Session-Timesqlcounter: check-name = Max-Daily-Sessionsqlcounter: key = User-Name sqlcounter: sqlmod-inst = sqlsqlcounter: query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' sqlcounter: reset = dailysqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /rlm_sqlcounter: Counter attribute Daily-Session-Time is number 1830 rlm_sqlcounter: Check attribute Max-Daily-Session is number 1831rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Next reset 1156507200 [2006-08-26 00:00:00]rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Prev reset 1156420800 [2006-08-25 00:00:00] Module: Instantiated sqlcounter (dailycounter)sqlcounter: counter-name = Monthly-Session-Timesqlcounter: check-name = Max-Monthly-Sessionsqlcounter: key = User-Name sqlcounter: sqlmod-inst = sqlsqlcounter: query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' sqlcounter: reset = monthlysqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 1832 rlm_sqlcounter: Check attribute Max-Monthly-Session is number 1833rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Next reset 1157025600 [2006-09-01 00:00:00]rlm_sqlcounter: Current Time: 1156477612 [2006-08-25 15:46:52], Prev reset 1154347200 [2006-08-01 00:00:00] Module: Instantiated sqlcounter (monthlycounter)Module: Loaded PAPpap: encryption_scheme = cryptModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAP mschap: use_mppe = yesmschap: require_encryption = yesmschap: require_strong = yesmschap: with_ntdomain_hack = nomschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = (null) Module: Instantiated mschap (mschap)Module: Loaded eapeap:
Re: EAP PEAP, unable to load certificate
On 8/25/06, Nick Larsen [EMAIL PROTECTED] wrote: tls: certificate_file = (null) You have to fill in this information. See the comment in eap.conf above the pertinent line. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html