Re: RE : Problem with Freeradius+LDAP+wifi
Rafa? Kamin'ski wrote: > Sorry for my all post :( > PEAP tunnel data in : 02 08 00 0b 21 80 03 00 02 00 02 > Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. > Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Tunneled data is valid. > Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Had sent TLV failure. > User was rejcted rejected earlier in this session. Read the REST of the debug log to see what's going on. > I have question: what is this: rlm_eap_peap: Had sent TLV failure. > User was rejcted rejected earlier in this session. ??? > > I think it is the problem with reject :( Yes... did you read the earlier debug messages? You were very careful to remove almost all useful information from your post. This makes it nearly impossible to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Sorry for my all post :( I set peap/eap/tls and i start freeradius but when user on laptop with wifi want to auth. to radius over linksys, in log is: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=167 User-Name = "lpa" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 State = 0xd7a7e508bf067ebf840f706609179973 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800261900170301001b0a80b340ff12abb3c834cd77d204562a8b8514d1823bfd2b9ecbf2 Message-Authenticator = 0x242aac203af35c0d27c38f590d032df8 Tue Jan 16 14:35:56 2007 : Debug: Processing the authorize section of radiusd.conf Tue Jan 16 14:35:56 2007 : Debug: modcall: entering group authorize for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: - authorize Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: performing user authorization for lpa Tue Jan 16 14:35:56 2007 : Debug: radius_xlat: '(uid=lpa)' Tue Jan 16 14:35:56 2007 : Debug: radius_xlat: 'ou=Users,dc=domain' Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=lpa) Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: user lpa authorized to use remote access Tue Jan 16 14:35:56 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authorize]: module "ldap" returns ok for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: EAP packet type response id 8 length 38 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jan 16 14:35:56 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall: leaving group authorize (returns updated) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rad_check_password: Found Auth-Type EAP Tue Jan 16 14:35:56 2007 : Debug: auth: type "EAP" Tue Jan 16 14:35:56 2007 : Debug: Processing the authenticate section of radiusd.conf Tue Jan 16 14:35:56 2007 : Debug: modcall: entering group authenticate for request 19 Tue Jan 16 14:35:56 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: Request found, released from the list Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: EAP/peap Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: processing type peap Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Authenticate Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_tls: processing TLS Tue Jan 16 14:35:56 2007 : Debug: eaptls_verify returned 7 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_tls: Done initial handshake Tue Jan 16 14:35:56 2007 : Debug: eaptls_process returned 7 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: EAPTLS_OK Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 02 08 00 0b 21 80 03 00 02 00 02 Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: Handler failed in EAP/peap Tue Jan 16 14:35:56 2007 : Debug: rlm_eap: Failed in EAP select Tue Jan 16 14:35:56 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall[authenticate]: module "eap" returns invalid for request 19 Tue Jan 16 14:35:56 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 19 Tue Jan 16 14:35:56 2007 : Debug: auth: Failed to validate the user. Tue Jan 16 14:35:56 2007 : Debug: Delaying request 19 for 1 seconds Tue Jan 16 14:35:56 2007 : Debug: Finish
Re: RE : Problem with Freeradius+LDAP+wifi
Oki, i compile freeradius with tls eap, but now i have that problem when i want start freeradius: Tue Jan 16 13:49:16 2007 : Debug: Module: Loaded eap Tue Jan 16 13:49:16 2007 : Debug: eap: default_eap_type = "tls" Tue Jan 16 13:49:16 2007 : Debug: eap: timer_expire = 60 Tue Jan 16 13:49:16 2007 : Debug: eap: ignore_unknown_eap_types = no Tue Jan 16 13:49:16 2007 : Debug: eap: cisco_accounting_username_bug = no Tue Jan 16 13:49:16 2007 : Debug: tls: rsa_key_exchange = no Tue Jan 16 13:49:16 2007 : Debug: tls: dh_key_exchange = yes Tue Jan 16 13:49:16 2007 : Debug: tls: rsa_key_length = 512 Tue Jan 16 13:49:16 2007 : Debug: tls: dh_key_length = 512 Tue Jan 16 13:49:16 2007 : Debug: tls: verify_depth = 0 Tue Jan 16 13:49:16 2007 : Debug: tls: CA_path = "(null)" Tue Jan 16 13:49:16 2007 : Debug: tls: pem_file_type = yes Tue Jan 16 13:49:16 2007 : Debug: tls: private_key_file = "/etc/freeradius/cert/radius.key" Tue Jan 16 13:49:16 2007 : Debug: tls: certificate_file = "/etc/freeradius/cert/radius.crt" Tue Jan 16 13:49:16 2007 : Debug: tls: CA_file = "/etc/freeradius/cert/ca.pem" Tue Jan 16 13:49:16 2007 : Debug: tls: private_key_password = "(null)" Tue Jan 16 13:49:16 2007 : Debug: tls: dh_file = "(null)" Tue Jan 16 13:49:16 2007 : Debug: tls: random_file = "(null)" Tue Jan 16 13:49:16 2007 : Debug: tls: fragment_size = 1024 Tue Jan 16 13:49:16 2007 : Debug: tls: include_length = yes Tue Jan 16 13:49:16 2007 : Debug: tls: check_crl = no Tue Jan 16 13:49:16 2007 : Debug: tls: check_cert_cn = "(null)" Tue Jan 16 13:49:16 2007 : Debug: tls: cipher_list = "(null)" Tue Jan 16 13:49:16 2007 : Debug: tls: check_cert_issuer = "(null)" Tue Jan 16 13:49:16 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Tue Jan 16 13:49:16 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue Jan 16 13:49:16 2007 : Error: rlm_eap_tls: Error loading randomness Tue Jan 16 13:49:16 2007 : Error: rlm_eap: Failed to initialize type tls Tue Jan 16 13:49:16 2007 : Error: radiusd.conf[10]: eap: Module instantiation failed. Tue Jan 16 13:49:16 2007 : Error: radiusd.conf[1767] Unknown module "eap". Tue Jan 16 13:49:16 2007 : Error: radiusd.conf[1720] Failed to parse authenticate section. What is that error :( ?? -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : Problem with Freeradius+LDAP+wifi
> > Could you post this file ?
>
> I have only:
>
> eap {
>
>
> default_eap_type = tls
>
>
> tls {
>
>
> tls_cacertfile = /etc/freeradius/cert/ca.pem
>
>
> tls_certfile = /etc/freeradius/cert/radius.crt
>
>
>
> tls_keyfile = /etc/freeradius/cert/radius.key
>
>
> }
>
>
> }
You're lacking the peap sub part:
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
}
Why have you deleted this entry? When you don't want to use a feature, just
comment the section it'll make it easier to update the configuration in the
future.
>
> BR,
>
> Rafal Kaminski
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : Problem with Freeradius+LDAP+wifi
> Could you post this file ?
I have only:
eap {
default_eap_type = tls
tls {
tls_cacertfile = /etc/freeradius/cert/ca.pem
tls_certfile = /etc/freeradius/cert/radius.crt
tls_keyfile = /etc/freeradius/cert/radius.key
}
}
BR,
Rafal Kaminski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Rafa? Kamin'ski wrote: > Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP-NAK asked for EAP-Type/peap > Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No such EAP type peap ... > Where is the problem ? The client is requesting to do PEAP, and you didn't configure peap in eap.conf. See the Wiki & various howto's. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : Problem with Freeradius+LDAP+wifi
> Tue Jan 16 09:45:50 2007 : Debug: modcall: entering group > authenticate for request 9 > Tue Jan 16 09:45:50 2007 : Debug: modsingle[authenticate]: > calling eap > (rlm_eap) for request 9 > Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: Request found, released > from the list > Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP NAK > Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP-NAK asked for > EAP-Type/peap Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No > such EAP type peap Do you have peap configured in your eap.conf file ? Could you post this file ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Sic :( I set eap with tls, because when i connect from PC i saw in debug TLS. Then i set tls in eap, but when i started freeraius (freeradius -XXX -A) i saw: Error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory Error: radiusd.conf[661]: eap: Module instantiation failed. Error: radiusd.conf[1767] Unknown module "eap". Error: radiusd.conf[1713] Failed to parse authenticate section. where is the problem ? BR -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Hello, I change my set and now i have that problem: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=135 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 State = 0xc278794268fad26149d90a3209f98f21 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x29e1dbe751ff97581d9c6a0a7b4a30c5 Tue Jan 16 09:45:50 2007 : Debug: Processing the authorize section of radiusd.conf Tue Jan 16 09:45:50 2007 : Debug: modcall: entering group authorize for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: - authorize Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: performing user authorization for rka Tue Jan 16 09:45:50 2007 : Debug: radius_xlat: '(uid=rka)' Tue Jan 16 09:45:50 2007 : Debug: radius_xlat: 'ou=Users,dc=domain' Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: user rka authorized to use remote access Tue Jan 16 09:45:50 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authorize]: module "ldap" returns ok for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP packet type response id 1 length 6 Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jan 16 09:45:50 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall: leaving group authorize (returns updated) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rad_check_password: Found Auth-Type EAP Tue Jan 16 09:45:50 2007 : Debug: auth: type "EAP" Tue Jan 16 09:45:50 2007 : Debug: Processing the authenticate section of radiusd.conf Tue Jan 16 09:45:50 2007 : Debug: modcall: entering group authenticate for request 9 Tue Jan 16 09:45:50 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: Request found, released from the list Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP NAK Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: EAP-NAK asked for EAP-Type/peap Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: No such EAP type peap Tue Jan 16 09:45:50 2007 : Debug: rlm_eap: Failed in EAP select Tue Jan 16 09:45:50 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall[authenticate]: module "eap" returns invalid for request 9 Tue Jan 16 09:45:50 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 9 Tue Jan 16 09:45:50 2007 : Debug: auth: Failed to validate the user. Tue Jan 16 09:45:50 2007 : Debug: Delaying request 9 for 1 seconds Tue Jan 16 09:45:50 2007 : Debug: Finished request 9 Tue Jan 16 09:45:50 2007 : Debug: Going to the next request Tue Jan 16 09:45:50 2007 : Debug: rl_next: returning NULL Tue Jan 16 09:45:50 2007 : Debug: Waking up in 6 seconds... Tue Jan 16 09:45:56 2007 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.245 port 3072 EAP-Message = 0x04010004 Message-Authenticator = 0x Where is the problem ? -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
Rafa? Kamin'ski wrote:
>
> in authorize section i have:
>
> authorize {
> preprocess
> eap
> ldap
> }
http://deployingradius.com/documents/configuration/setup.html
You've spent a lot of time editing the config file, in a way that
breaks it. Don't do that.
Start off with the default configuration, and make gradual changes
until you have what you want.
> in auth section
>
> authentication {
> Auth-Type LDAP {
>
>
> ldap
>
>
> }
> }
And no "eap".
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with Freeradius+LDAP+wifi
>
> Is 'eap' listed in our authorize section. It should be since this is an EAP
> request and Freeradius needs a way to set Auth-Type to EAP to proceed.
>
in authorize section i have:
authorize {
preprocess
eap
ldap
}
in auth section
authentication {
Auth-Type LDAP {
ldap
}
}
and in eap.conf i have:
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
}
Maybe some suggest ?
BR,
--
Rafal Kaminski
http://blstream.com
email: [EMAIL PROTECTED]
jid: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
