Re: WPA Peap problems with Vista (yet again)
Michael Torrie wrote: Yet I still have the problem where after the Access-Challenge is sent, the Vista clients just silently drop things and the connection fails. This is the behavior that I know I would get if I don't have the required OID in the certificate. Yet it is there! I ran 'openssl x509 -in /path/to/cert.crt -noout -text' and it shows the extended usage as I'd expect. For some reason openssl calls it TLS Web Server Authentication. That's the right one. Any ideas? Debug output is: Pretty standard. Any ideas on how to better debug and fix this major problem for me? Ask Vista why it's not authenticating... there isn't much else you can do on the RADIUS server to debug the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA Peap problems with Vista (yet again)
I've read through the list archives about people's problems with Vista and FreeRadius, including the recent messages on this list in January, and a couple of exchanges back in 2006 and 2007. I am running FreeRadius 1.1.7 on a RHEL 4 box, compiled from Fedora 8's FreeRadius SRPM. According to the changelog, the patch/hack to get around Vista's broken SSL fragment handling has been in FreeRadius since 1.1.4, so we're good there. I also read the big warning in the eap.conf file and have ensured that my certificate indeed does have the proper OID that Microsoft requires. The setup (1.1.5 before, and 1.1.7 now) has been working fine for XP SP2 for years. Yet I still have the problem where after the Access-Challenge is sent, the Vista clients just silently drop things and the connection fails. This is the behavior that I know I would get if I don't have the required OID in the certificate. Yet it is there! I ran 'openssl x509 -in /path/to/cert.crt -noout -text' and it shows the extended usage as I'd expect. For some reason openssl calls it TLS Web Server Authentication. Thinking that it was still wrong, I did as was suggested on the list in January, and downloaded FreeRadius 2.0.3 and created a self-signed cert with those tools. It looks the exact same, so I know the OID is right. Any ideas? Debug output is: Sending Access-Challenge of id 90 to 192.168.4.10 port 21702 EAP-Message = 0x010800061900 Message-Authenticator = 0x State = 0xdf09144102cbf146277d93e7d554a782 Finished request 1939 Going to the next request Any ideas on how to better debug and fix this major problem for me? thanks, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata wrote: Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. No. You should not have to set Auth-Type to anything, at all, except in very specialised configurations. Don't set it at all. For example, the entry in the users file might look like: username User-Password := password ...and nothing else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata [EMAIL PROTECTED] wrote: Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. NO! Read the documentation in eap.conf for why it's a bad idea. The solution to one broken configuration is NOT to add yet another broken configuration. Find out where the Auth-Type Accept is comming from, and fix it! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP (PEAP) problems
This is freeradius 1.1.1 with a Proxim/Orinoco AP700. We're configured to use PEAP. We seem to be hung up on the EAP start from the AP. Here's some log output. Note the No EAP Start part, which I think tells us that the AP isn't relaying the EAP Start properly from the supplicant. Any feedback from the gurus? (-: rad_recv: Access-Request packet from host ***.***.***.***:6001, id=22, length=154 User-Name = testtwo NAS-IP-Address = ***.***.***.*** Called-Station-Id = 00-20-a6-5d-9c-d1:ourtestssid Calling-Station-Id = 00-20-a6-4c-16-7f NAS-Identifier = ORiNOCO-AP-700-5d-9c-d1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000c017465737474776f Message-Authenticator = 0x62af36a7da3b8f655c8a9cda6dba34eb Wed May 31 13:50:59 2006 : Debug: Processing the authorize section of radiusd.conf Wed May 31 13:50:59 2006 : Debug: modcall: entering group authorize for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 3 Wed May 31 13:50:59 2006 : Debug: rlm_realm: No '@' in User-Name = testtwo, looking up realm NULL Wed May 31 13:50:59 2006 : Debug: rlm_realm: No such realm NULL Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module suffix returns noop for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 3 Wed May 31 13:50:59 2006 : Debug: rlm_eap: EAP packet type response id 4 length 12 Wed May 31 13:50:59 2006 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module eap returns updated for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 3 Wed May 31 13:50:59 2006 : Debug: users: Matched entry testtwo at line 2 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module files returns ok for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 3 Wed May 31 13:50:59 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 3 Wed May 31 13:50:59 2006 : Debug: modcall[authorize]: module mschap returns noop for request 3 Wed May 31 13:50:59 2006 : Debug: modcall: leaving group authorize (returns updated) for request 3 Wed May 31 13:50:59 2006 : Debug: rad_check_password: Found Auth-Type Accept Wed May 31 13:50:59 2006 : Debug: rad_check_password: Auth-Type = Accept, accepting the user Wed May 31 13:50:59 2006 : Auth: Login OK: [testtwo/no User-Password attribute] (from client testAP port 0 cli 00-20-a6-4c-16-7f) Sending Access-Accept of id 22 to ***.***.***.*** port 6001 Wed May 31 13:50:59 2006 : Debug: Finished request 3 Wed May 31 13:50:59 2006 : Debug: Going to the next request Wed May 31 13:50:59 2006 : Debug: --- Walking the entire request list --- Wed May 31 13:50:59 2006 : Debug: Waking up in 6 seconds... Wed May 31 13:51:05 2006 : Debug: --- Walking the entire request list --- Wed May 31 13:51:05 2006 : Debug: Cleaning up request 3 ID 22 with timestamp 447dd783 Wed May 31 13:51:05 2006 : Debug: Nothing to do. Sleeping until we see a request. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata [EMAIL PROTECTED] wrote: rad_recv: Access-Request packet from host ***.***.***.***:6001, id=22, length=154 User-Name = testtwo ... EAP-Message = 0x0204000c017465737474776f ... Wed May 31 13:50:59 2006 : Debug: rad_check_password: Found Auth-Type Accept Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP problems, never see an Access-Accept
Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... Also Google told me that the last line here isn't harmful : rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A === Starting - reading configuration files ... read_config_files: reading dictionary Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: checkrad = /usr/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = daemon proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 listen: type = auth listen: ipaddr = * listen: port = 0 listen: type = acct listen: ipaddr = * listen: port = 0 client: secret = VerySecret client: shortname = localhost client: nastype = other client: secret = VerySecret client: shortname = AccessPoint radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: input_pairs = request exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = Password Has Expired Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = You are calling outside your allowed timespan logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = auto pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: radwtmp = /var/log/freeradius/radwtmp Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/example.key tls: certificate_file = /etc/freeradius/certs/example.crt tls: CA_file = /etc/ssl/certs/ca-example.pem tls: dh_file = /etc/freeradius/certs/example.dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type
Re: PEAP problems, never see an Access-Accept
Jorgen Rosink [EMAIL PROTECTED] wrote: Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problems, never see an Access-Accept
On 2/3/06, Alan DeKok [EMAIL PROTECTED] wrote: Jorgen Rosink [EMAIL PROTECTED] wrote: Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. I'd like to, but I'm unable to build working Debian packages with both the official source 1.1.0 and the Debian upstream one (override libssl-dev build conflict). The symlinks in my Freeradius libdir for both eap_tls eap_peap are invalid with this version (1.0.5 also failed). From what I understand this should be fixed in 1.1.0, but as mentioned earlier, the latest snapshots are the only ones working here, with PEAP that is. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. That did the trick, thank you very much!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with PEAP problems
Hello all, I am trying to configure FreeRADIUS with PEAP support. Here are my specs: OS: FreeBSD 5.4 OpenSSL: version 0.9.7d FreeRADIUS: 1.0.5 I have tested the configuration with EAP/TLS and it works just fine however, when I change default_eap_type = tls to default_eap_type = peap in the eap.conf file, I'm getting Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/freebsd.puyenet.com.pem tls: certificate_file = /usr/local/etc/raddb/certs/freebsd.puyenet.com.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# I have found this article from 2004 (http://lists.freeradius.org/pipermail/freeradius-users/2004-October/036 946.html). I'm not sure if this applies to me. Any help is greatly appreciated Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 06:32, Alhagie Puye wrote: rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# Do you have peap { default_eap_type = mschapv2 } in your eap.conf? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Zoltan A. Ori Sent: January 2, 2006 3:58 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS with PEAP problems On Monday 02 January 2006 06:32, Alhagie Puye wrote: rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# Do you have peap { default_eap_type = mschapv2 } in your eap.conf? Yes, I do. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 07:34, Alhagie Puye wrote: Do you have peap { default_eap_type = mschapv2 } in your eap.conf? Yes, I do. And, was MSCHAP instantiated? A complete debug output might help since the problem may begin elsewhere and only manifest itself as an error when dependencies are required. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
On Monday 02 January 2006 07:34, Alhagie Puye wrote: rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# I take it all back. It shouldn't have dumped core. I looked right over that. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems I went ahead and recompiled from source and also used the --disable-shared options. It is not core-dumping but PEAP is still failing though Here is a complete debug output as you requested: freebsd# radiusd -X -AStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/eap.confmain: prefix = "/usr/local"main: localstatedir = "/usr/local/var"main: logdir = "/usr/local/var/log/radius"main: libdir = "/usr/local/lib"main: radacctdir = "/usr/local/var/log/radius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = "/usr/local/var/log/radius/radius.log"main: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"main: user = "(null)"main: group = "(null)"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/local/sbin/checkrad"main: proxy_requests = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded exec exec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yesmschap: require_encryption = yesmschap: require_strong = yesmschap: with_ntdomain_hack = yesmschap: passwd = "(null)"mschap: authtype = "MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = nounix: passwd = "(null)"unix: shadow = "(null)"unix: group = "(null)"unix: radwtmp = "/usr/local/var/log/radius/radwtmp"unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "orion.puyenet.com"ldap: port = 389ldap: net_timeout = 1ldap: timeout = 4ldap: timelimit = 3ldap: identity = "cn=administrator,ou=users,dc=ad,dc=puyenet,dc=com"ldap: tls_mode = noldap: start_tls = noldap: tls_cacertfile = "(null)"ldap: tls_cacertdir = "(null)"ldap: tls_certfile = "(null)"ldap: tls_keyfile = "(null)"ldap: tls_randfile = "(null)"ldap: tls_require_cert = "allow"ldap: password = ""ldap: basedn = "DC=ad,DC=puyenet,DC=com"ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"ldap: base_filter = "(objectclass=radiusprofile)"ldap: default_profile = "(null)"ldap: profile_attribute = "(null)"ldap: password_header = "(null)"ldap: password_attribute = "M4a8ccarthy6"ldap: access_attr = "dialupAccess"ldap: groupname_attribute = "cn"ldap: groupmembership_filter = "(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"ldap: groupmembership_attribute = "(null)"ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"ldap: ldap_debug = 0ldap: ldap_connections_number = 5ldap: compare_check_items = noldap: access_attr_used_for_allow = yesldap: do_xlat = yesrlm_ldap: Registering ldap_groupcmp for Ldap-Grouprlm_ldap: Registering ldap_xlat with xlat_name ldaprlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmaprlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Typerlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Userlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Idrlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Idrlm_ldap: LDAP lmPassword mapped to RADIUS LM-Passwordrlm_ldap: LDAP ntPassword mapped to RADIUS NT-Passwordrlm_ldap: LDAP acctFlags ma
Re: FreeRADIUS with PEAP problems
Alhagie Puye [EMAIL PROTECTED] wrote: rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Try reading eap.conf, and uncommenting the peap section. I'm not sure how to make that error message more descriptive, or update the comments in eap.conf so that people will *read* them. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems From: [EMAIL PROTECTED] on behalf of Alan DeKokSent: Mon 1/2/2006 2:28 PMTo: FreeRadius users mailing listSubject: Re: FreeRADIUS with PEAP problems Thanks Alan for the reply. The "peap" section was already uncommented. Here is exactly what my eap.conf file looks like (I have removed every line that is commented) eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/freebsd.puyenet.com.pem certificate_file = ${raddbdir}/certs/freebsd.puyenet.com.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random peap { default_eap_type = mschapv2 } mschapv2 { } }} Thanks, Alhagie. "Alhagie Puye" [EMAIL PROTECTED] wrote: rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Try reading eap.conf, and uncommenting the "peap" section. I'm not sure how to make that error message more descriptive, orupdate the comments in eap.conf so that people will *read* them. Alan DEKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with PEAP problems
Alhagie Puye [EMAIL PROTECTED] wrote: Here is exactly what my eap.conf file looks like (I have removed every = line that is commented) ... tls { ... peap { default_eap_type =3D mschapv2 } sigh So you didn't just uncomment the peap section. You edited re-arranged it. Your edits broke it. There's a simple solution: read the stock eap.conf again. Follow it's layout. It WORKS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems From: [EMAIL PROTECTED] on behalf of Alhagie PuyeSent: Mon 1/2/2006 3:43 PMTo: FreeRadius users mailing listSubject: RE: FreeRADIUS with PEAP problems From: [EMAIL PROTECTED] on behalf of Alan DeKokSent: Mon 1/2/2006 2:28 PMTo: FreeRadius users mailing listSubject: Re: FreeRADIUS with PEAP problems Ok, I found what the problem isthanks to Zoltan. The last "}" should have been before the "peap" section. I had accidentally placed the "peap" section inside the "tls" section. I have changed the eap.conf file to look like this now and it works fine. eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/freebsd.puyenet.com.pem certificate_file = ${raddbdir}/certs/freebsd.puyenet.com.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } peap { default_eap_type = mschapv2 } mschapv2 { } } Thanks everybody that give me a hand. Alhagie. Thanks Alan for the reply. The "peap" section was already uncommented. Here is exactly what my eap.conf file looks like (I have removed every line that is commented) eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/freebsd.puyenet.com.pem certificate_file = ${raddbdir}/certs/freebsd.puyenet.com.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random peap { default_eap_type = mschapv2 } mschapv2 { } }} Thanks, Alhagie. "Alhagie Puye" [EMAIL PROTECTED] wrote: rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Try reading eap.conf, and uncommenting the "peap" section. I'm not sure how to make that error message more descriptive, orupdate the comments in eap.conf so that people will *read* them. Alan DEKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Mon 1/2/2006 5:57 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS with PEAP problems Alhagie Puye [EMAIL PROTECTED] wrote: Here is exactly what my eap.conf file looks like (I have removed every = line that is commented) ... tls { ... peap { default_eap_type =3D mschapv2 } sigh So you didn't just uncomment the peap section. You edited re-arranged it. Your edits broke it. Yes, I didthe re-arranging part was completely unintentional. My apologies... :-( There's a simple solution: read the stock eap.conf again. Follow it's layout. It WORKS. Yes, you are absolutely right. It DOES work. Thanks for all your help Alhagie This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
Quoting Michael Griego [EMAIL PROTECTED]: I'm guessing you're using the Windows XP supplicant? This looks like a classic case of your CA certificate not being present on the client machine. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Hi. Yes, I uses WinXP(sp2) supplicant and access point is Intel 2011B. I create new certicates. Then I copy root.der and client-crt.p12 files to supplicant. Windows shows that certificates are ok and using to remote client identity. (I trying tls method too). Now, in authentication process, I found following error line. rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 03a8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0044], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 Next lines tells how I create certificates. Server certificate*** openssl genrsa -des3 -out server-key.pem 2048 openssl req -new -key server-key.pem -out server-csr.pem openssl req -in server-csr.pem -out server-crt.pem -key server-key.pem -x509 -days 3652 openssl ca -in server-csr.pem -out server-crt.pem -days 3652 -policy policy_anything root certificate** cp server-crt.pem root.pem openssl x509 -in root -inform PEM -out root.der -outform DER client certificate** openssl genrsa -des3 -out client-key.pem 2048 openssl req -new -key client-key.pem -out client-csr.pem openssl ca -in client-csr.pem -out client-crt.pem -days 125 -extensions xpclient_ext -extfile xpextensions -policy policy_anything openssl pkcs12 -export -in client-crt.pem -inkey client-key.pem -name Radius Suse -certfile client-crt.pem -out client.p12 openssl x509 -inform PEM -outform DER -in client-clt.pem -out client-clt.der - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
I'm guessing you're using the Windows XP supplicant? This looks like a classic case of your CA certificate not being present on the client machine. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas ealatalo wrote: Quoting Jacques VUVANT [EMAIL PROTECTED]: Hello T It seems that the user doens't exist on users.conf Jacques Problem was that I was changed detail NT_Domain_hack = yes. Now I change it back to no and that problem solved. But now I get new following problem. :( Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1117, id=92, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x08a61ed2a9cfdf1b75fddc6da963f23a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = TWIRE12\jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 156 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 92 to 10.50.50.13:1117 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe6b4b0ad3e594db130de344878b1cd7c Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 92 with timestamp 41f6af2e Nothing to do. Sleeping until we see a request. part of eap.conf default_eap_type = peap ... tls { private_key_password = arvaatko private_key_file = ${raddbdir}/varmenteet/palvelin-key.pem # If Private key Certificate are located in # the same file, then private_key_file # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/varmenteet/palvelin-crt.pem # Trusted Root CA list CA_file = ${raddbdir}/varmenteet/CA-crt.pem dh_file = ${raddbdir}/varmenteet/certs/dh random_file = ${raddbdir}/varmenteet/certs/random ... peap { default_eap_type = mschapv2 } ** part of users jaskajokUser-Password == Reititys2 Framed-IP-Address = 10.50.50.12, Framed-IP-Netmask = 255.255.255.0 *** radiusd.conf -no changes made *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? (freeradius 1.0.0 Suse 9.2) T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- (freeradius 1.0.0 Suse 9.2) I have a following line in users file. (I don't have users.conf file..?) #John Doe Auth-Type := Local, User-Password == hello # Reply-Message = Hello, %u jaskajokUser-Password == Reititys3 # # Dial user back and telnet to the default host for that port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP Problems: module eap returns invalid for request 8 and auth: Failed to validate the user.
Hi alll !!! I use: freeradius-snapshot-20040216, openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP client I would like to run PEAP but freeradius show me the following error. Please, look my authenticate and authorize modules!!! any idea?? thanks in advance!!! freeradius logs -- S-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1C-44" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a State = 0x112e15244708c595cec067388e416f35 Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 rlm_realm: No '@' in User-Name = "1119", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAPauth: type "EAP"modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting.rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8modcall: group authenticate returns invalid for request 8auth: Failed to validate the user.Delaying request 8 for 1 secondsFinished request 8Going to the next requestWaking up in 6 seconds... radiusd.conf - modules {## Each module has a configuration as follows:##name [ instance ] {#config_item = value#...#}## The 'name' is used to load the 'rlm_name' library# which implements the functionality of the module.## The 'instance' is optional. To have two different instances# of a module, it first must be referred to by 'name'.# The different copies of the module are then created by# inventing two 'instance' names, e.g. 'instance1' and 'instance2'## The instance names can then be used in later configuration# INSTEAD of the original 'name'. See the 'radutmp' configuration# below for an example.# # PAP module to authenticate users based on their stored password## Supports multiple encryption schemes# clear: Clear text# crypt: Unix crypt# md5: MD5 ecnryption# sha1: SHA1 encryption.# DEFAULT: cryptpap {encryption_scheme = crypt} # CHAP module## To authenticate requests containing a CHAP-Password attribute.#chap {authtype = CHAP} # Pluggable Authentication Modules## For Linux, see:#http://www.kernel.org/pub/linux/libs/pam/index.html## WARNING: On many systems, the system PAM libraries have# memory leaks! We STRONGLY SUGGEST that you do not# use PAM for authentication, due to those memory leaks.#pam {## The name to use for PAM authentication.# PAM looks in /etc/pam.d/${pam_auth_name}# for it's configuration. See 'redhat/radiusd-pam'# for a sample PAM configuration file.## Note that any Pam-Auth attribute set in the 'authorize'# section will over-ride this one.#pam_auth = radiusd} # Unix /etc/passwd style authentication#unix {## Cache /etc/passwd, /etc/shadow, and /etc/group## The default is to NOT cache them.## For FreeBSD, you do NOT want to enable the cache,# as it's password lookups are done via a database, so# set this value to 'no'.## Some systems (e.g. RedHat Linux with pam_pwbd) can# take *seconds* to check a password, from a passwd# file containing 1000's of entries. For those systems,# you should set the cache value to 'yes', and set# the locations of the 'passwd', 'shadow', and 'group'# files, below.## allowed values: {no, yes}cache = no # Reload the cache every 600 seconds (10mins). 0 to disable.cache_reload = 600 ## Define the locations of the normal passwd, shadow, and# group files.## 'shadow' is commented out by default, because not all# systems have shadow passwords.## To force the module to use the system password functions,# instead of reading the files, leave the following entries# commented out.## This is required for
Re: EAP-PEAP Problems: module eap returns invalid for request 8 and auth: Failed to validate the user.
Jose, You've sent quite a bit of information to the list, but it's been pretty much useless... The portion of the log that you are sending does not include the *reason* that the authentication is failing. Please post the entire portion of the log for this request (or put it on a website somewhere and post the link to the list). This will aid in finding out where the problem lies. --Mike On Wed, 2004-02-18 at 09:23, José Luis Solano wrote: Hi alll !!! I use: freeradius-snapshot-20040216, openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP client I would like to run PEAP but freeradius show me the following error. Please, look my authenticate and authorize modules!!! any idea?? thanks in advance!!! freeradius logs -- S-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a State = 0x112e15244708c595cec067388e416f35 Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681 modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 rlm_realm: No '@' in User-Name = 1119, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 users: Matched DEFAULT at 154 modcall[authorize]: module files returns ok for request 8 modcall[authorize]: module mschap returns noop for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... radiusd.conf - modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # below for an example. # # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } # Pluggable Authentication Modules # # For Linux, see: # http://www.kernel.org/pub/linux/libs/pam/index.html # # WARNING: On many systems, the system PAM libraries have # memory leaks! We STRONGLY SUGGEST that you do not # use PAM for authentication, due to those memory leaks. # pam { # # The name to use for PAM authentication. # PAM looks in /etc/pam.d/${pam_auth_name} # for it's configuration. See 'redhat/radiusd-pam' # for a sample PAM configuration file. # # Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one. # pam_auth = radiusd } # Unix /etc/passwd style authentication # unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. # #
Re: EAP-PEAP Problems: module eap returns invalid for request8 and auth: Failed to validate the user.
rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. modcall[authenticate]: module mschap returns fail for request 7 As suspected, above is the block in the log you should be paying attention to. You haven't configured a password for your tunneled user. Give the entry for this user a cleartext User-Password attribute, and it should work. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: even with this option, the problem is always present! an idea ? shrug Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } } -- What changes I need to use TTLS? Thanks in advance Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: freeradius-users [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:23 PM Subject: Freeradius PEAP Problems Hi, I
RE: Freeradius PEAP Problems
Hi José, I use a freeradius snapshot because TTLS isn't in rpm package. You must have the TLS module to use TTLS module. The directive default_eap_type (in EAP module) must be fixed at tls. It's right And the default_eap_type (in TTLS module) to md5. It's right too. I can send my config file to you if u want. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:32 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!! If you want to send me your radiusd.conf, it will be très bien for me. So, please send me your file if it's possible. À tout!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 5:31 PM Subject: RE: Freeradius PEAP Problems Hi José, I use a freeradius snapshot because TTLS isn't in rpm package. You must have the TLS module to use TTLS module. The directive default_eap_type (in EAP module) must be fixed at tls. It's right And the default_eap_type (in TTLS module) to md5. It's right too. I can send my config file to you if u want. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:32 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added copy_request_to_tunnel = yes in the PEAP module and set default_eap_type = peap in EAP module to default_eap_type = tls Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : default_eap_type = peap in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html