Re: PEAP problems, never see an Access-Accept
On 2/3/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > Jorgen Rosink <[EMAIL PROTECTED]> wrote: > > Had a hard time to even start FreeRadius on my Debian Unstable system > > with a working PEAP module (yes, I'm aware of OpenSSL licences and > > eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm > > currently using the 20060202-snapshot. With this version (also tried > > 20060130, same behaviour) I'm able to create PEAP enabled Debian > > packages, after manually editing. the pcap section in the main > > Makefile. > > I'd suggest using 1.1.0, unless you're willing to work with an > unstable vesion of FreeRADIUS. I'd like to, but I'm unable to build working Debian packages with both the official source 1.1.0 and the Debian upstream one (override libssl-dev build conflict). The symlinks in my Freeradius libdir for both eap_tls & eap_peap are invalid with this version (1.0.5 also failed). >From what I understand this should be fixed in 1.1.0, but as mentioned earlier, the latest snapshots are the only ones working here, with PEAP that is. > > > The problem now is that I'm trying to authenticate a default WindowsXP > > SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve > > 520WL Access Point in 802.1x mode (latest firmware). Below my > > FreeRadius startup and a attempt to authenticate, could someone please > > point me in a direction what's going on, I've no clue what's wrong... > > The symptom that Windows stops talking to the RADIUS server usually > means that the server certificate doesn't contain the magic windows > OID's. See the scripts/ directory for samples of how to create certs > with the right stuff. That did the trick, thank you very much!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problems, never see an Access-Accept
Jorgen Rosink <[EMAIL PROTECTED]> wrote: > Had a hard time to even start FreeRadius on my Debian Unstable system > with a working PEAP module (yes, I'm aware of OpenSSL licences and > eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm > currently using the 20060202-snapshot. With this version (also tried > 20060130, same behaviour) I'm able to create PEAP enabled Debian > packages, after manually editing. the pcap section in the main > Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. > The problem now is that I'm trying to authenticate a default WindowsXP > SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve > 520WL Access Point in 802.1x mode (latest firmware). Below my > FreeRadius startup and a attempt to authenticate, could someone please > point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP problems, never see an Access-Accept
Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... Also Google told me that the last line here isn't harmful : rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A === Starting - reading configuration files ... read_config_files: reading dictionary Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: checkrad = "/usr/sbin/checkrad" main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = "daemon" proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 listen: type = "auth" listen: ipaddr = * listen: port = 0 listen: type = "acct" listen: ipaddr = * listen: port = 0 client: secret = "VerySecret" client: shortname = "localhost" client: nastype = "other" client: secret = "VerySecret" client: shortname = "AccessPoint" radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: input_pairs = "request" exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = "Password Has Expired " Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = "You are calling outside your allowed timespan " logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = "auto" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: radwtmp = "/var/log/freeradius/radwtmp" Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/example.key" tls: certificate_file = "/etc/freeradius/certs/example.crt" tls: CA_file = "/etc/ssl/certs/ca-example.pem" tls: dh_file = "/etc/freeradius/certs/example.dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2
