hello I have been learning about freeradius and could use some guidance. I have a freeradius server a 3com 5500 switch and mac osx client
I setup a test machine and added a client record and shared secret. Joe User is getting his credentials from ldap, and the machine he sent the request on is 10.5.1.8, freeradius running on 10.5.1.101. Now I need to configure a 3Com switch, and mac OSX client to send/accept EAP or EAPTLS. neither apple or 3com have good setup docs, so Im looking to the list , maybe someone has crossed this river before I build a new bridge ? here was my auth test from remote user; echo "User-Name = joeuser\n User-Password = hispassword" | radclient -sx 10.5.1.101 auth Secret Sending Access-Request of id 137 to 10.5.1.101 port 1812 User-Name = "joeuser" User-Password = "hispassword" rad_recv: Access-Accept packet from host 10.5.1.101:1812, id=137, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Mon Apr 11 20:17:42 2011 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.5.1.8 port 57337, id=254, length=51 User-Name = "joeuser" User-Password = "hispassword" Mon Apr 11 20:27:04 2011 : Info: +- entering group authorize {...} Mon Apr 11 20:27:04 2011 : Info: ++[preprocess] returns ok Mon Apr 11 20:27:04 2011 : Info: ++[chap] returns noop Mon Apr 11 20:27:04 2011 : Info: ++[mschap] returns noop Mon Apr 11 20:27:04 2011 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Mon Apr 11 20:27:04 2011 : Info: [suffix] No such realm "NULL" Mon Apr 11 20:27:04 2011 : Info: ++[suffix] returns noop Mon Apr 11 20:27:04 2011 : Info: [eap] No EAP-Message, not doing EAP Mon Apr 11 20:27:04 2011 : Info: ++[eap] returns noop Mon Apr 11 20:27:04 2011 : Info: ++[unix] returns updated Mon Apr 11 20:27:04 2011 : Info: ++[files] returns noop Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The host 10.5.1.8 does not have an access group. Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: no access control groups, all users allowed. Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: Setting Auth-Type = opendirectory Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok Mon Apr 11 20:27:04 2011 : Info: ++[expiration] returns noop Mon Apr 11 20:27:04 2011 : Info: ++[logintime] returns noop Mon Apr 11 20:27:04 2011 : Info: [pap] Found existing Auth-Type, not changing it. Mon Apr 11 20:27:04 2011 : Info: ++[pap] returns noop Mon Apr 11 20:27:04 2011 : Info: Found Auth-Type = opendirectory Mon Apr 11 20:27:04 2011 : Info: +- entering group opendirectory {...} Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok Mon Apr 11 20:27:04 2011 : Auth: Login OK: [joeuser/hispassword] (from client noc port 0) Mon Apr 11 20:27:04 2011 : Info: +- entering group post-auth {...} Mon Apr 11 20:27:04 2011 : Info: ++[exec] returns noop Sending Access-Accept of id 254 to 10.5.1.8 port 57337 Mon Apr 11 20:27:04 2011 : Info: Finished request 2. Mon Apr 11 20:27:04 2011 : Debug: Going to the next request Mon Apr 11 20:27:04 2011 : Debug: Waking up in 4.9 seconds. okay so thats good. now I assume that I can configure the switch , after following 3coms instructions i end up with 5500G-EI]display dot1x int g1/0/5 Equipment 802.1X protocol is enabled CHAP authentication is enabled DHCP-launch is disabled Proxy trap checker is disabled Proxy logoff checker is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s The maximal retransmitting times 2 Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 1 GigabitEthernet1/0/5 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled The port is a(n) an authenticator Authenticate Mode is Auto Port Control Type is Mac-based Max on-line user number is 256 Authentication Success: 0, Failed: 2 EAPOL Packets: Tx 13, Rx 12 Sent EAP Request/Identity Packet : 5 EAP Request/Challenge Packets: 5 Received EAPOL Start Packets : 3 EAPOL LogOff Packets: 0 EAP Response/Identity Packets : 5 EAP Response/Challenge Packets: 0 Error Packets: 0 1. Unauthenticated user : MAC address: 0025-xxxx-xxxx Controlled User(s) amount to 1 [5500G-EI] disp domain 0 Domain = nocdomain State = Active RADIUS Scheme = nocsys Access-limit = Disable Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable 1 Domain = system State = Active Scheme = LOCAL Access-limit = Disable Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable at this point I thought I had it, but the OSX client just fails and it's like the eap never leaves the 3com switch nothing hits the logs, it's quiet. so, I need to know what each side is looking for. can someone smack me around a bit thanks for any insight -j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html