Re: Sending Access-Challenge
Laszlo Fekete wrote: So I want a radius server to wifi auth with eap-ttls/peap, ldap and not plain-text passwords. I downloaded 2.1.4 source and create debian package without modification, do some basic configuration and testing, radtest from local is fine, but radeapclient eap-md5 testing fail. Don't use radeapclient. See my web page for instructions on setting up EAP: http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Challenge
Alan DeKok wrote: Don't use radeapclient. See my web page for instructions on setting up EAP: http://deployingradius.com I tried the eapol_test from the web page ( http://deployingradius.com/scripts/eapol_test/ ). With Eap-ttls pap/chap/ms-chap said success: RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): f6 97 5f 08 83 c3 6f 4d db 4b 85 d9 9a 1b 89 b6 6a 93 3e 49 39 bc 5e 2b fc 43 4f b8 d7 35 c5 2a MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 5d 56 b2 09 50 c8 ae 7d c0 b4 f3 3f e1 92 a0 6c 9b fe c6 51 b5 a9 3a d3 39 38 70 d2 76 c2 8b 73 decapsulated EAP packet (code=3 id=6 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): 5d 56 b2 09 50 c8 ae 7d c0 b4 f3 3f e1 92 a0 6c 9b fe c6 51 b5 a9 3a d3 39 38 70 d2 76 c2 8b 73 EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails: RADIUS packet matching with station decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE If need I put the whole output, or if its easier pls tell where should I search the problem? Thank you: blackluck signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Challenge
Hi, But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails: PEAP works but TTLS fails - so, does your eap.conf have ttls configured? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Challenge
Do *not* CC me on messages sent to the list. In case you hadn't noticed, I already read the list. And do *not* set return receipt requested. It's rude, and it causes me to be biased against people who use it. Laszlo Fekete wrote: ... But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails: Is there any reason you're not looking at the debugging output of the server, as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Challenge
Alan DeKok wrote: Do *not* CC me on messages sent to the list. In case you hadn't noticed, I already read the list. And do *not* set return receipt requested. It's rude, and it causes me to be biased against people who use it. Sorry, I will watching for this in the future. Laszlo Fekete wrote: ... But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails: Is there any reason you're not looking at the debugging output of the server, as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Alan DeKok. True, sorry again! And I found the problem, I turned off proxy earlier, because read: # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. When turned on again proxy, succeded the eap-md5 and eap--mschapv2 auth. Thank you, blackluck signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Access-Challenge Fail
Daniel Romero wrote: I'm stucked... i don't know what to do... ... Sending Access-Challenge of id 3 to 192.168.100.185 ... Waking up in 5 seconds... See the FAQ. http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS Certificate - Re-sending Access-Challenge
Michael Poser [EMAIL PROTECTED] wrote: But when i want to authenticate with securew2 or odyssey Client the authentication stopps after the first Access-Request: ... rad_recv: Access-Request packet from host 10.87.80.1:3072, id=151, length=117 Sending duplicate reply to client lancom-ap:3072 - ID: 151 Re-sending Access-Challenge of id 151 to 10.87.80.1:3072 --8-- After this, the Client sends the same packet with the same id to the Server; it goes in circles. The client is sending the request to one IP address, and the server is sending it's reply from a different IP address. See the listen directive in radiusd.conf. The configuration is the same as the working FR-Server with selfsigning certificates. Did you 'diff' the configurations to be sure? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html