Re: WPA Peap problems with Vista (yet again)
Michael Torrie wrote: Yet I still have the problem where after the Access-Challenge is sent, the Vista clients just silently drop things and the connection fails. This is the behavior that I know I would get if I don't have the required OID in the certificate. Yet it is there! I ran 'openssl x509 -in /path/to/cert.crt -noout -text' and it shows the extended usage as I'd expect. For some reason openssl calls it TLS Web Server Authentication. That's the right one. Any ideas? Debug output is: Pretty standard. Any ideas on how to better debug and fix this major problem for me? Ask Vista why it's not authenticating... there isn't much else you can do on the RADIUS server to debug the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA Peap problems with Vista (yet again)
I've read through the list archives about people's problems with Vista and FreeRadius, including the recent messages on this list in January, and a couple of exchanges back in 2006 and 2007. I am running FreeRadius 1.1.7 on a RHEL 4 box, compiled from Fedora 8's FreeRadius SRPM. According to the changelog, the patch/hack to get around Vista's broken SSL fragment handling has been in FreeRadius since 1.1.4, so we're good there. I also read the big warning in the eap.conf file and have ensured that my certificate indeed does have the proper OID that Microsoft requires. The setup (1.1.5 before, and 1.1.7 now) has been working fine for XP SP2 for years. Yet I still have the problem where after the Access-Challenge is sent, the Vista clients just silently drop things and the connection fails. This is the behavior that I know I would get if I don't have the required OID in the certificate. Yet it is there! I ran 'openssl x509 -in /path/to/cert.crt -noout -text' and it shows the extended usage as I'd expect. For some reason openssl calls it TLS Web Server Authentication. Thinking that it was still wrong, I did as was suggested on the list in January, and downloaded FreeRadius 2.0.3 and created a self-signed cert with those tools. It looks the exact same, so I know the OID is right. Any ideas? Debug output is: Sending Access-Challenge of id 90 to 192.168.4.10 port 21702 EAP-Message = 0x010800061900 Message-Authenticator = 0x State = 0xdf09144102cbf146277d93e7d554a782 Finished request 1939 Going to the next request Any ideas on how to better debug and fix this major problem for me? thanks, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata wrote: Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. No. You should not have to set Auth-Type to anything, at all, except in very specialised configurations. Don't set it at all. For example, the entry in the users file might look like: username User-Password := password ...and nothing else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata [EMAIL PROTECTED] wrote: Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. NO! Read the documentation in eap.conf for why it's a bad idea. The solution to one broken configuration is NOT to add yet another broken configuration. Find out where the Auth-Type Accept is comming from, and fix it! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP (PEAP) problems
This is freeradius 1.1.1 with a Proxim/Orinoco AP700. We're configured to use PEAP. We seem to be hung up on the EAP start from the AP. Here's some log output. Note the No EAP Start part, which I think tells us that the AP isn't relaying the EAP Start properly from the supplicant. Any feedback from the gurus? (-: rad_recv: Access-Request packet from host ***.***.***.***:6001, id=22, length=154 User-Name = testtwo NAS-IP-Address = ***.***.***.*** Called-Station-Id = 00-20-a6-5d-9c-d1:ourtestssid Calling-Station-Id = 00-20-a6-4c-16-7f NAS-Identifier = ORiNOCO-AP-700-5d-9c-d1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000c017465737474776f Message-Authenticator = 0x62af36a7da3b8f655c8a9cda6dba34eb Wed May 31 13:50:59 2006 : Debug: Processing the authorize section of radiusd.conf Wed May 31 13:50:59 2006 : Debug: modcall: entering group authorize for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 3 Wed May 31 13:50:59 2006 : Debug: rlm_realm: No '@' in User-Name = testtwo, looking up realm NULL Wed May 31 13:50:59 2006 : Debug: rlm_realm: No such realm NULL Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module suffix returns noop for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 3 Wed May 31 13:50:59 2006 : Debug: rlm_eap: EAP packet type response id 4 length 12 Wed May 31 13:50:59 2006 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module eap returns updated for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 3 Wed May 31 13:50:59 2006 : Debug: users: Matched entry testtwo at line 2 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module files returns ok for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module mschap returns noop for request 3 Wed May 31 13:50:59 2006 : Debug: modcall: leaving group authorize (returns updated) for request 3 Wed May 31 13:50:59 2006 : Debug: rad_check_password: Found Auth-Type Accept Wed May 31 13:50:59 2006 : Debug: rad_check_password: Auth-Type = Accept, accepting the user Wed May 31 13:50:59 2006 : Auth: Login OK: [testtwo/no User-Password attribute] (from client testAP port 0 cli 00-20-a6-4c-16-7f) Sending Access-Accept of id 22 to ***.***.***.*** port 6001 Wed May 31 13:50:59 2006 : Debug: Finished request 3 Wed May 31 13:50:59 2006 : Debug: Going to the next request Wed May 31 13:50:59 2006 : Debug: --- Walking the entire request list --- Wed May 31 13:50:59 2006 : Debug: Waking up in 6 seconds... Wed May 31 13:51:05 2006 : Debug: --- Walking the entire request list --- Wed May 31 13:51:05 2006 : Debug: Cleaning up request 3 ID 22 with timestamp 447dd783 Wed May 31 13:51:05 2006 : Debug: Nothing to do. Sleeping until we see a request. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata [EMAIL PROTECTED] wrote: rad_recv: Access-Request packet from host ***.***.***.***:6001, id=22, length=154 User-Name = testtwo ... EAP-Message = 0x0204000c017465737474776f ... Wed May 31 13:50:59 2006 : Debug: rad_check_password: Found Auth-Type Accept Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP problems, never see an Access-Accept
Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... Also Google told me that the last line here isn't harmful : rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A === Starting - reading configuration files ... read_config_files: reading dictionary Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: checkrad = /usr/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = daemon proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 listen: type = auth listen: ipaddr = * listen: port = 0 listen: type = acct listen: ipaddr = * listen: port = 0 client: secret = VerySecret client: shortname = localhost client: nastype = other client: secret = VerySecret client: shortname = AccessPoint radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: input_pairs = request exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = Password Has Expired Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = You are calling outside your allowed timespan logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = auto pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: radwtmp = /var/log/freeradius/radwtmp Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/example.key tls: certificate_file = /etc/freeradius/certs/example.crt tls: CA_file = /etc/ssl/certs/ca-example.pem tls: dh_file = /etc/freeradius/certs/example.dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type
Re: PEAP problems, never see an Access-Accept
Jorgen Rosink [EMAIL PROTECTED] wrote: Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problems, never see an Access-Accept
On 2/3/06, Alan DeKok [EMAIL PROTECTED] wrote: Jorgen Rosink [EMAIL PROTECTED] wrote: Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. I'd like to, but I'm unable to build working Debian packages with both the official source 1.1.0 and the Debian upstream one (override libssl-dev build conflict). The symlinks in my Freeradius libdir for both eap_tls eap_peap are invalid with this version (1.0.5 also failed). From what I understand this should be fixed in 1.1.0, but as mentioned earlier, the latest snapshots are the only ones working here, with PEAP that is. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. That did the trick, thank you very much!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with PEAP problems
Hello all, I am trying to configure FreeRADIUS with PEAP support. Here are my specs: OS: FreeBSD 5.4 OpenSSL: version 0.9.7d FreeRADIUS: 1.0.5 I have tested the configuration with EAP/TLS and it works just fine however, when I change default_eap_type = tls to default_eap_type = peap in the eap.conf file, I'm getting Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/freebsd.puyenet.com.pem tls: certificate_file = /usr/local/etc/raddb/certs/freebsd.puyenet.com.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# I have found this article from 2004 (http://lists.freeradius.org/pipermail/freeradius-users/2004-October/036 946.html). I'm not sure if this applies to me. Any help is greatly appreciated Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 06:32, Alhagie Puye wrote:
rlm_eap: Loaded and initialized type tls
rlm_eap: No such sub-type for default EAP type peap
Bus error (core dumped)
bash-2.05b#
Do you have
peap {
default_eap_type = mschapv2
}
in your eap.conf?
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817
-Original Message-
From:
[EMAIL PROTECTED]
org
[mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Zoltan A. Ori
Sent: January 2, 2006 3:58 AM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 06:32, Alhagie Puye wrote:
rlm_eap: Loaded and initialized type tls
rlm_eap: No such sub-type for default EAP type peap Bus
error (core
dumped) bash-2.05b#
Do you have
peap {
default_eap_type = mschapv2
}
in your eap.conf?
Yes, I do.
Zoltan Ori
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message (including any attachments) is confidential, may be privileged and
is only intended for the person to whom it is addressed. If you have received
it by mistake please notify the sender by return e-mail and delete this message
from your system. Any unauthorized use or dissemination of this message in
whole or in part is strictly prohibited. E-mail communications are inherently
vulnerable to interception by unauthorized parties and are susceptible to
change. We will use alternate communication means upon request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 07:34, Alhagie Puye wrote:
Do you have
peap {
default_eap_type = mschapv2
}
in your eap.conf?
Yes, I do.
And, was MSCHAP instantiated?
A complete debug output might help since the problem may begin elsewhere and
only manifest itself as an error when dependencies are required.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 07:34, Alhagie Puye wrote: rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# I take it all back. It shouldn't have dumped core. I looked right over that. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems
I went ahead and recompiled
from source and also used the --disable-shared options.
It is not core-dumping but PEAP is still
failing though
Here is a complete debug
output as you requested:
freebsd# radiusd -X -AStarting - reading configuration files
...reread_config: reading radiusd.confConfig:
including file: /usr/local/etc/raddb/clients.confConfig:
including file: /usr/local/etc/raddb/eap.confmain: prefix =
"/usr/local"main: localstatedir = "/usr/local/var"main:
logdir = "/usr/local/var/log/radius"main: libdir =
"/usr/local/lib"main: radacctdir =
"/usr/local/var/log/radius/radacct"main: hostname_lookups =
nomain: max_request_time = 30main: cleanup_delay =
5main: max_requests = 1024main: delete_blocked_requests =
0main: port = 0main: allow_core_dumps = nomain:
log_stripped_names = nomain: log_file =
"/usr/local/var/log/radius/radius.log"main: log_auth =
nomain: log_auth_badpass = nomain: log_auth_goodpass =
nomain: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"main: user =
"(null)"main: group = "(null)"main: usercollide =
nomain: lower_user = "no"main: lower_pass =
"no"main: nospace_user = "no"main: nospace_pass =
"no"main: checkrad = "/usr/local/sbin/checkrad"main:
proxy_requests = nosecurity: max_attributes = 200security:
reject_delay = 1security: status_server = nomain:
debug_level = 0read_config_files: reading
dictionaryread_config_files: reading naslistUsing deprecated
naslist file. Support for this will go away
soon.read_config_files: reading clientsread_config_files:
reading realmsradiusd: entering modules setupModule: Library
search path is /usr/local/libModule: Loaded exec exec: wait =
yesexec: program = "(null)"exec: input_pairs =
"request"exec: output_pairs = "(null)"exec: packet_type =
"(null)"rlm_exec: Wait=yes but no output defined. Did you mean
output=none?Module: Instantiated exec (exec) Module: Loaded expr
Module: Instantiated expr (expr) Module: Loaded PAP pap:
encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded
CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP
mschap: use_mppe = yesmschap: require_encryption =
yesmschap: require_strong = yesmschap: with_ntdomain_hack =
yesmschap: passwd = "(null)"mschap: authtype =
"MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap
(mschap) Module: Loaded System unix: cache = nounix:
passwd = "(null)"unix: shadow = "(null)"unix: group =
"(null)"unix: radwtmp =
"/usr/local/var/log/radius/radwtmp"unix: usegroup = nounix:
cache_reload = 600Module: Instantiated unix (unix) Module: Loaded LDAP
ldap: server = "orion.puyenet.com"ldap: port =
389ldap: net_timeout = 1ldap: timeout = 4ldap:
timelimit = 3ldap: identity =
"cn=administrator,ou=users,dc=ad,dc=puyenet,dc=com"ldap: tls_mode =
noldap: start_tls = noldap: tls_cacertfile =
"(null)"ldap: tls_cacertdir = "(null)"ldap: tls_certfile =
"(null)"ldap: tls_keyfile = "(null)"ldap: tls_randfile =
"(null)"ldap: tls_require_cert = "allow"ldap: password =
""ldap: basedn = "DC=ad,DC=puyenet,DC=com"ldap: filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"ldap: base_filter =
"(objectclass=radiusprofile)"ldap: default_profile =
"(null)"ldap: profile_attribute = "(null)"ldap:
password_header = "(null)"ldap: password_attribute =
"M4a8ccarthy6"ldap: access_attr = "dialupAccess"ldap:
groupname_attribute = "cn"ldap: groupmembership_filter =
"(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"ldap:
groupmembership_attribute = "(null)"ldap: dictionary_mapping =
"/usr/local/etc/raddb/ldap.attrmap"ldap: ldap_debug = 0ldap:
ldap_connections_number = 5ldap: compare_check_items =
noldap: access_attr_used_for_allow = yesldap: do_xlat =
yesrlm_ldap: Registering ldap_groupcmp for Ldap-Grouprlm_ldap:
Registering ldap_xlat with xlat_name ldaprlm_ldap: reading
ldap-radius mappings from file
/usr/local/etc/raddb/ldap.attrmaprlm_ldap: LDAP radiusCheckItem mapped to
RADIUS $GENERIC$rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
$GENERIC$rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Typerlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Userlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Idrlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Idrlm_ldap: LDAP lmPassword mapped to RADIUS
LM-Passwordrlm_ldap: LDAP ntPassword mapped to RADIUS
NT-Passwordrlm_ldap: LDAP acctFlags ma
Re: FreeRADIUS with PEAP problems
Alhagie Puye [EMAIL PROTECTED] wrote: rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Try reading eap.conf, and uncommenting the peap section. I'm not sure how to make that error message more descriptive, or update the comments in eap.conf so that people will *read* them. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems
From:
[EMAIL PROTECTED] on behalf of
Alan DeKokSent: Mon 1/2/2006 2:28 PMTo: FreeRadius users
mailing listSubject: Re: FreeRADIUS with PEAP problems
Thanks Alan for the reply. The "peap" section was already
uncommented.
Here is exactly what my eap.conf file looks like (I have removed
every line that is commented)
eap
{
default_eap_type =
peap
timer_expire =
60
ignore_unknown_eap_types =
no
cisco_accounting_username_bug =
no
tls
{
private_key_password =
whatever
private_key_file =
${raddbdir}/certs/freebsd.puyenet.com.pem
certificate_file =
${raddbdir}/certs/freebsd.puyenet.com.pem
CA_file =
${raddbdir}/certs/root.pem
dh_file =
${raddbdir}/certs/dh
random_file =
${raddbdir}/certs/random
peap
{
default_eap_type =
mschapv2
}
mschapv2
{
} }}
Thanks,
Alhagie.
"Alhagie Puye" [EMAIL PROTECTED] wrote:
rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for
default EAP type peap Try reading eap.conf, and uncommenting the
"peap" section. I'm not sure how to make that
error message more descriptive, orupdate the comments in eap.conf so that
people will *read* them. Alan DEKok.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
Alhagie Puye [EMAIL PROTECTED] wrote:
Here is exactly what my eap.conf file looks like (I have removed every =
line that is commented)
...
tls {
...
peap {
default_eap_type =3D mschapv2
}
sigh So you didn't just uncomment the peap section. You edited
re-arranged it. Your edits broke it.
There's a simple solution: read the stock eap.conf again. Follow
it's layout. It WORKS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems
From:
[EMAIL PROTECTED] on behalf of
Alhagie PuyeSent: Mon 1/2/2006 3:43 PMTo: FreeRadius users
mailing listSubject: RE: FreeRADIUS with PEAP problems
From:
[EMAIL PROTECTED] on behalf of
Alan DeKokSent: Mon 1/2/2006 2:28 PMTo: FreeRadius users
mailing listSubject: Re: FreeRADIUS with PEAP problems
Ok, I found what the problem isthanks to Zoltan.
The last "}" should have been before the "peap" section. I had accidentally
placed the "peap" section inside the "tls" section.
I have changed the eap.conf file to look like this
now and it works fine.
eap
{
default_eap_type =
peap
timer_expire =
60
ignore_unknown_eap_types =
no
cisco_accounting_username_bug =
no
tls
{
private_key_password =
whatever
private_key_file =
${raddbdir}/certs/freebsd.puyenet.com.pem
certificate_file =
${raddbdir}/certs/freebsd.puyenet.com.pem
CA_file =
${raddbdir}/certs/root.pem
dh_file =
${raddbdir}/certs/dh
random_file =
${raddbdir}/certs/random
}
peap
{
default_eap_type =
mschapv2
}
mschapv2
{
} }
Thanks everybody that give me a hand.
Alhagie.
Thanks Alan for the reply. The "peap" section was already
uncommented.
Here is exactly what my eap.conf file looks like (I have removed
every line that is commented)
eap
{
default_eap_type =
peap
timer_expire =
60
ignore_unknown_eap_types =
no
cisco_accounting_username_bug =
no
tls
{
private_key_password =
whatever
private_key_file =
${raddbdir}/certs/freebsd.puyenet.com.pem
certificate_file =
${raddbdir}/certs/freebsd.puyenet.com.pem
CA_file =
${raddbdir}/certs/root.pem
dh_file =
${raddbdir}/certs/dh
random_file =
${raddbdir}/certs/random
peap
{
default_eap_type =
mschapv2
}
mschapv2
{
} }}
Thanks,
Alhagie.
"Alhagie Puye" [EMAIL PROTECTED] wrote:
rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for
default EAP type peap Try reading eap.conf, and uncommenting the
"peap" section. I'm not sure how to make that
error message more descriptive, orupdate the comments in eap.conf so that
people will *read* them. Alan DEKok.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This message (including any attachments) is confidential, may be privileged
and is only intended for the person to whom it is addressed. If you have
received it by mistake please notify the sender by return e-mail and delete this
message from your system. Any unauthorized use or dissemination of this message
in whole or in part is strictly prohibited. E-mail communications are inherently
vulnerable to interception by unauthorized parties and are susceptible to
change. We will use alternate communication means upon
request. This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
From: [EMAIL PROTECTED] on behalf of Alan DeKok
Sent: Mon 1/2/2006 5:57 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS with PEAP problems
Alhagie Puye [EMAIL PROTECTED] wrote:
Here is exactly what my eap.conf file looks like (I have removed every =
line that is commented)
...
tls {
...
peap {
default_eap_type =3D mschapv2
}
sigh So you didn't just uncomment the peap section. You edited
re-arranged it. Your edits broke it.
Yes, I didthe re-arranging part was completely unintentional. My
apologies... :-(
There's a simple solution: read the stock eap.conf again. Follow
it's layout. It WORKS.
Yes, you are absolutely right. It DOES work.
Thanks for all your help
Alhagie
This message (including any attachments) is confidential, may be privileged and
is only intended for the person to whom it is addressed. If you have received
it by mistake please notify the sender by return e-mail and delete this message
from your system. Any unauthorized use or dissemination of this message in
whole or in part is strictly prohibited. E-mail communications are inherently
vulnerable to interception by unauthorized parties and are susceptible to
change. We will use alternate communication means upon request.
winmail.dat-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
Quoting Michael Griego [EMAIL PROTECTED]: I'm guessing you're using the Windows XP supplicant? This looks like a classic case of your CA certificate not being present on the client machine. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Hi. Yes, I uses WinXP(sp2) supplicant and access point is Intel 2011B. I create new certicates. Then I copy root.der and client-crt.p12 files to supplicant. Windows shows that certificates are ok and using to remote client identity. (I trying tls method too). Now, in authentication process, I found following error line. rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 03a8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0044], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 Next lines tells how I create certificates. Server certificate*** openssl genrsa -des3 -out server-key.pem 2048 openssl req -new -key server-key.pem -out server-csr.pem openssl req -in server-csr.pem -out server-crt.pem -key server-key.pem -x509 -days 3652 openssl ca -in server-csr.pem -out server-crt.pem -days 3652 -policy policy_anything root certificate** cp server-crt.pem root.pem openssl x509 -in root -inform PEM -out root.der -outform DER client certificate** openssl genrsa -des3 -out client-key.pem 2048 openssl req -new -key client-key.pem -out client-csr.pem openssl ca -in client-csr.pem -out client-crt.pem -days 125 -extensions xpclient_ext -extfile xpextensions -policy policy_anything openssl pkcs12 -export -in client-crt.pem -inkey client-key.pem -name Radius Suse -certfile client-crt.pem -out client.p12 openssl x509 -inform PEM -outform DER -in client-clt.pem -out client-clt.der - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
I'm guessing you're using the Windows XP supplicant? This looks like a
classic case of your CA certificate not being present on the client machine.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
ealatalo wrote:
Quoting Jacques VUVANT [EMAIL PROTECTED]:
Hello T
It seems that the user doens't exist on users.conf
Jacques
Problem was that I was changed detail NT_Domain_hack = yes. Now I change it back
to no and that problem solved. But now I get new following problem. :(
Ready to process requests.
rad_recv: Access-Request packet from host 10.50.50.13:1117, id=92, length=141
User-Name = TWIRE12\\jaskajok
NAS-IP-Address = 10.50.50.13
Called-Station-Id = 00034715cbc3
Calling-Station-Id = 00022d1d5cb1
NAS-Identifier = WARLORD1
NAS-Port = 29
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b
Message-Authenticator = 0x08a61ed2a9cfdf1b75fddc6da963f23a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = TWIRE12\jaskajok, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 1 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched DEFAULT at 156
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 92 to 10.50.50.13:1117
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xe6b4b0ad3e594db130de344878b1cd7c
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 92 with timestamp 41f6af2e
Nothing to do. Sleeping until we see a request.
part of eap.conf
default_eap_type = peap
...
tls {
private_key_password = arvaatko
private_key_file = ${raddbdir}/varmenteet/palvelin-key.pem
# If Private key Certificate are located in
# the same file, then private_key_file
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/varmenteet/palvelin-crt.pem
# Trusted Root CA list
CA_file = ${raddbdir}/varmenteet/CA-crt.pem
dh_file = ${raddbdir}/varmenteet/certs/dh
random_file = ${raddbdir}/varmenteet/certs/random
...
peap {
default_eap_type = mschapv2
}
**
part of users
jaskajokUser-Password == Reititys2
Framed-IP-Address = 10.50.50.12,
Framed-IP-Netmask = 255.255.255.0
***
radiusd.conf -no changes made
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? (freeradius 1.0.0 Suse 9.2) T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- (freeradius 1.0.0 Suse 9.2) I have a following line in users file. (I don't have users.conf file..?) #John Doe Auth-Type := Local, User-Password == hello # Reply-Message = Hello, %u jaskajokUser-Password == Reititys3 # # Dial user back and telnet to the default host for that port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP Problems: module eap returns invalid for request 8 and auth: Failed to validate the user.
Hi alll !!!
I use: freeradius-snapshot-20040216,
openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP
client
I would like to run PEAP but freeradius show me the
following error. Please, look my authenticate and authorize
modules!!!
any idea??
thanks in advance!!!
freeradius logs
--
S-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1C-44" NAS-Identifier
= "DWL-1000AP+" Framed-MTU =
1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a
State =
0x112e15244708c595cec067388e416f35
Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681modcall: entering
group authorize for request 8 modcall[authorize]: module "preprocess"
returns ok for request 8 modcall[authorize]: module "chap" returns
noop for request 8 rlm_eap: EAP packet type response id 9 length
38 rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation modcall[authorize]: module "eap" returns updated for
request 8 rlm_realm: No '@' in User-Name = "1119",
looking up realm NULL rlm_realm: No such realm
"NULL" modcall[authorize]: module "suffix" returns noop for request
8 users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8modcall: group
authorize returns updated for request 8 rad_check_password:
Found Auth-Type EAPauth: type "EAP"modcall: entering group authenticate
for request 8 rlm_eap: Request found, released from the list
rlm_eap: EAP/peap rlm_eap: processing type peap
rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS
eaptls_verify returned 7 rlm_eap_tls: Done initial handshake
eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes. rlm_eap_peap: Received EAP-TLV
response. rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.rlm_eap: Handler
failed in EAP/peap rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8modcall:
group authenticate returns invalid for request 8auth: Failed to validate the
user.Delaying request 8 for 1 secondsFinished request 8Going to the
next requestWaking up in 6 seconds...
radiusd.conf
-
modules {## Each module
has a configuration as follows:##name [ instance ]
{#config_item =
value#...#}##
The 'name' is used to load the 'rlm_name' library# which
implements the functionality of the module.## The
'instance' is optional. To have two different instances#
of a module, it first must be referred to by 'name'.# The
different copies of the module are then created by# inventing
two 'instance' names, e.g. 'instance1' and
'instance2'## The instance names can then be used in
later configuration# INSTEAD of the original 'name'. See
the 'radutmp' configuration# below for an
example.#
# PAP module to authenticate users based on
their stored password## Supports multiple encryption
schemes# clear: Clear text# crypt: Unix
crypt# md5: MD5 ecnryption#
sha1: SHA1 encryption.# DEFAULT: cryptpap
{encryption_scheme = crypt}
# CHAP module## To
authenticate requests containing a CHAP-Password
attribute.#chap {authtype =
CHAP}
# Pluggable Authentication
Modules## For Linux, see:#http://www.kernel.org/pub/linux/libs/pam/index.html##
WARNING: On many systems, the system PAM libraries
have#
memory leaks! We STRONGLY SUGGEST that you do
not# use PAM for authentication, due to those
memory leaks.#pam {##
The name to use for PAM authentication.# PAM looks in
/etc/pam.d/${pam_auth_name}# for it's configuration.
See 'redhat/radiusd-pam'# for a sample PAM configuration
file.## Note that any Pam-Auth attribute
set in the 'authorize'# section will over-ride this
one.#pam_auth = radiusd}
# Unix /etc/passwd style
authentication#unix
{## Cache /etc/passwd, /etc/shadow, and
/etc/group## The default is to NOT cache
them.## For FreeBSD, you do NOT want to
enable the cache,# as it's password lookups are done via a
database, so# set this value to
'no'.## Some systems (e.g. RedHat Linux
with pam_pwbd) can# take *seconds* to check a password,
from a passwd# file containing 1000's of entries.
For those systems,# you should set the cache value to
'yes', and set# the locations of the 'passwd', 'shadow',
and 'group'# files,
below.## allowed values: {no,
yes}cache = no
# Reload the cache every 600 seconds
(10mins). 0 to disable.cache_reload = 600
## Define the
locations of the normal passwd, shadow, and# group
files.## 'shadow' is commented out by
default, because not all# systems have shadow
passwords.## To force the module to use
the system password functions,# instead of reading the
files, leave the following entries# commented
out.## This is required for
Re: EAP-PEAP Problems: module eap returns invalid for request 8 and auth: Failed to validate the user.
Jose,
You've sent quite a bit of information to the list, but it's been pretty
much useless... The portion of the log that you are sending does not
include the *reason* that the authentication is failing. Please post
the entire portion of the log for this request (or put it on a website
somewhere and post the link to the list). This will aid in finding out
where the problem lies.
--Mike
On Wed, 2004-02-18 at 09:23, José Luis Solano wrote:
Hi alll !!!
I use: freeradius-snapshot-20040216, openssl.0.9.7c, pcmcia card cisco
and D-Link access point, XP client
I would like to run PEAP but freeradius show me the following error.
Please, look my authenticate and authorize modules!!!
any idea??
thanks in advance!!!
freeradius logs
--
S-IP-Address = 192.168.49.252
NAS-Port = 0
Called-Station-Id = 00-80-C8-01-01-55
Calling-Station-Id = 00-0B-46-26-1C-44
NAS-Identifier = DWL-1000AP+
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a
State = 0x112e15244708c595cec067388e416f35
Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681
modcall: entering group authorize for request 8
modcall[authorize]: module preprocess returns ok for request 8
modcall[authorize]: module chap returns noop for request 8
rlm_eap: EAP packet type response id 9 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 8
rlm_realm: No '@' in User-Name = 1119, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 8
users: Matched DEFAULT at 154
modcall[authorize]: module files returns ok for request 8
modcall[authorize]: module mschap returns noop for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Waking up in 6 seconds...
radiusd.conf
-
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# below for an example.
#
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}
# Unix /etc/passwd style authentication
#
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
#
Re: EAP-PEAP Problems: module eap returns invalid for request8 and auth: Failed to validate the user.
rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. modcall[authenticate]: module mschap returns fail for request 7 As suspected, above is the block in the log you should be paying attention to. You haven't configured a password for your tunneled user. Give the entry for this user a cleartext User-Password attribute, and it should work. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: even with this option, the problem is always present! an idea ? shrug Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be = 1024.
#
fragment_size = 600
# include_length is a flag which is by default set
to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
Hi,
I
RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive default_eap_type (in EAP module) must be fixed at tls.
It's right
And the default_eap_type (in TTLS module) to md5. It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be = 1024.
#
fragment_size = 600
# include_length is a flag which is by default set
to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!!
If you want to send me your radiusd.conf, it will be très bien for me. So,
please send me your file if it's possible.
À tout!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 5:31 PM
Subject: RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive default_eap_type (in EAP module) must be fixed at tls.
It's right
And the default_eap_type (in TTLS module) to md5. It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The
first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently,
my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added copy_request_to_tunnel = yes in the PEAP module and set default_eap_type = peap in EAP module to default_eap_type = tls Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : default_eap_type = peap in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
