Re: about EAP using 1.1.7 and 2.0.3
Alan wrote: >hi, > >as Alan stated - your NAS doesnt seem to be getting >the responses from your server. some ACL or routing issue? >(stick a sniffer directly in front of the switch...if >you need to, you may need to have a 'port mirror' or somesuch >from the switch that feeds that switch if traffic is on a mgmt >VLAN and .1q trunking is involved etc. > >dont worry about the errors from the ./configure - unless >you are using any of those technologies (postgresql, oracle, >TNC or IKEv2) - your server is 'normal' > >alan > > >-- Hi all, it's partially solve... I'm using a server as radius server and as vlan trunk that feed the switch tagged packet, also the server become gateway... after I using other server for radius, it work yeah the 1.1.7 radius is on other machine ( that's why it works )... so it's clear this not about freeradius version. thank alot all for your time Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
hi, as Alan stated - your NAS doesnt seem to be getting the responses from your server. some ACL or routing issue? (stick a sniffer directly in front of the switch...if you need to, you may need to have a 'port mirror' or somesuch from the switch that feeds that switch if traffic is on a mgmt VLAN and .1q trunking is involved etc. dont worry about the errors from the ./configure - unless you are using any of those technologies (postgresql, oracle, TNC or IKEv2) - your server is 'normal' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: >Thanks for the reply, I've Update to freeradius 2.0.5, but still > didn't show result, the debug still the same, > here are the debug : > >... > rad_recv: Access-Request packet from host 192.168.12.130 port 1024, > id=27, length=213 > Sending duplicate reply to client local port 1024 - ID: 27 > Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 The client isn't receiving the response from the server. Use tcpdump or wireshark to debug your network. > I'm using default configuration, just only change client.conf and users. > there is clue, when I saw debug from 1.1.7 the second access request has > different id > but in this debug, it had same id ( that's is 27 ) maybe because client > didn't receive challenge, it tried to retransmit Yes. The ID's are chosen by the client. If it's re-using the same ID, it's because it didn't receive the reply. > I'm not expert at EAP but i think after challenge client should reply > with different id... ( that is what I see at 1.1.7 ) > Is there any configuration to be added ? No. Fix your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: > Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the >source tree. > > Alan DeKok. > Hi Alan, Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-0a-e4-13-b8-87" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = 0xf267668d55a632d7f6ff3b2b94735eca +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 97 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 61 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" EAP-Message = 0x016200160410706dc9d0aeae1c2c1fe2d41a5f8cc84a Message-Authenticator = 0x State = 0xba2a19f0ba481d03bf0d1926ffd8f60a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Cleaning up request 0 ID 27 with timestamp +164 Ready to process requests. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-0a-e4-13-b8-87" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = --- I'm not sure it will help but i include the configure warning for 2.0.5 config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: check-radiusd-config: No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. - I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had sa
Re: about EAP using 1.1.7 and 2.0.3
jbenben wrote: > I am a new user of freeRadius. I fount you are a expert for it. I have > same question about it. Can you give me a guideline : how to install and > enable eap with 2.0.5 version ? Thanks a lot. Waiting your reply. Read the documentation. It's all there. Do you have a specific question about the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Alan DeKok-4 wrote: > > Ryan Setiawan H wrote: >> Hi All, >>I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for >> 802.1X using freeradius 2.0.3 > > Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the > source tree. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Dear Alan, I am a new user of freeRadius. I fount you are a expert for it. I have same question about it. Can you give me a guideline : how to install and enable eap with 2.0.5 version ? Thanks a lot. Waiting your reply. -- View this message in context: http://www.nabble.com/about-EAP-using-1.1.7-and-2.0.3-tp18335676p18352554.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
>users: Matched entry testing at line 102 What is this entry? Does it contain Cleartext-Password as debug clearly suggests? Fix that. >Sending duplicate reply to client test port 1024 - ID: 4 <--- any >clue what is it ? Your supplicant is sending initial request again. Server is responding with the duplicate reply assuming supplicant didn't recieve the initial reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: > Hi All, >I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for > 802.1X using freeradius 2.0.3 Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP using 1.1.7 and 2.0.3
Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 and procurve switch, sadly it doesn't work. but when I 'am using freeradius 1.1.7 it works smoothly I've tried not only using native windows XP SP 2 supplicant but also wpa_supplicant. both don't work using freeradius2. I've also tried reinstall the freeradius 2.0.3 ( i'm forget using mercurial ), I thought I misconfigure something..but. even using "fresh from the oven" configuration still just don't work. , here are the debug: Sending duplicate reply to client test port 1024 - ID: 4 Cleaning up request 2 ID 4 with timestamp +46 Ready to process requests. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-0a-e4-13-58-c7" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x023a000c0174657374696e67 Message-Authenticator = 0x55d6fa8c198752bd6c62c351b234a57b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 58 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 102 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" EAP-Message = 0x013b001604101fee1ce904aea0659f790123de5bc761 Message-Authenticator = 0x State = 0x9e1dcf679e26cbc870b5fae6a11d133d Finished request 3. Going to the next request Waking up in 4.9 seconds. Sending duplicate reply to client test port 1024 - ID: 4 <--- any clue what is it ? Cleaning up request 3 ID 4 with timestamp +56 Ready to process requests. from the wpa_supplicant's debug it broke right before EAP message method, so it (the supplicant) doesn't receive any MD5 Challenge from radius. anyone have same problem? really appreciate for any help Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html