Hi All,
I am facing problem using the FreeRadius version 1.1.7 for
EAP-TTLS/MSCHAPv2. Always I keep seeing the access-challenge on the radius
log. I have attached the eap.conf / wpa_supplicant.conf and radius traces
for your reference.
Please, let me know If there is anything wrong in my configurations.
Thanks & Regards,
Sriram
rad_recv: Access-Request packet from host 192.168.0.1:49152, id=29, length=171
NAS-IP-Address = 169.254.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = "aricent"
Calling-Station-Id = "00-90-4B-0A-D5-EF"
Called-Station-Id = "00-19-E1-F0-9B-CE"
NAS-Identifier = "Enterprise Wireless AP"
EAP-Message = 0x0201000c0161726963656e74
Message-Authenticator = 0x57c85b81701129495162f36aef069549
Proxy-State = 0x0402a9fe01031b272cc14c1336040fc84dcd0a33456e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_realm: No '@' in User-Name = "aricent", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched entry aricent at line 117
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group EAP for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group EAP (returns handled) for request 0
Sending Access-Challenge of id 29 to 192.168.0.1 port 49152
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0bc65ca2c6ba57161ed09aee31beac1e
Proxy-State = 0x0402a9fe01031b272cc14c1336040fc84dcd0a33456e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:49152, id=30, length=285
NAS-IP-Address = 169.254.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = "aricent"
Calling-Station-Id = "00-90-4B-0A-D5-EF"
Called-Station-Id = "00-19-E1-F0-9B-CE"
NAS-Identifier = "Enterprise Wireless AP"
State = 0x0bc65ca2c6ba57161ed09aee31beac1e
EAP-Message =
0x0202006c150016030100610100005d030147a099a9aacb7733a0315ee297e024c11643628f748158c38b0efaab8f612aaf00003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
Message-Authenticator = 0x4e99a74d77d87576c4c7fe527d93f38d
Proxy-State = 0x0402a9fe01035ced6f644c91240b7b6a21a92568154c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_eap: EAP packet type response id 2 length 108
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
rlm_realm: No '@' in User-Name = "aricent", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched entry aricent at line 117
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group EAP for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 05d7], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group EAP (returns handled) for request 1
Sending Access-Challenge of id 30 to 192.168.0.1 port 49152
EAP-Message =
0x0103040a15c000000634160301004a02000046030147a1726338484ea58ba5a797e27a81de9c2b5a40f2e3364d8ffade6fe61a1bc6206203cc8223ab13f1c5488f14c0ff1692f9f6a9684f639cfa608d3ac1656f653800350016030105d70b0005d30005d00002bd308202b930820222a003020102020101300d06092a864886f70d010105050030818b310b300906035504061302494e311630140603550408130d416e6468726150726164657368312a3028060355040a132141726963656e7420546563686e6f6c6f6769657320486f6c64696e6773204c7464311430120603550403130b61726963656e742e636f6d3122302006092a864886f70d
EAP-Message =
0x0109011613737570706f72744061726963656e742e636f6d301e170d3038303131343134303233375a170d3039303131333134303233375a30819f310b300906035504061302494e311630140603550408130d416e64687261507261646573683112301006035504071309487964657261626164312a3028060355040a132141726963656e7420546563686e6f6c6f6769657320486f6c64696e6773204c7464311430120603550403130b61726963656e742e636f6d3122302006092a864886f70d0109011613737570706f72744061726963656e742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a841843a1fde
EAP-Message =
0x6b96dd539935dce353e02bc32d5e83d9e3e8a32dcaf1ab83a7af824d9ff12b9bd61254ea3b13ac94c43a3db2a5eb2fd73834aed33d2aea855e243ce5c0b9b469b32dc82b0a06b297ab22b364ca8f0352b3526442b69ae049f522017d5eabb1c10d48726693a9852cdbc4429a790fe0be809d46a29bea562e5feb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005380874127aba58a0c6ea17eb326ef6c081c4a0302d1e7efbb1137b6e19a4c49f081a32d7ff3ae41e3c115a442a6679a401a7c56eaf7998cf8ce90eb0fbc0bd9c5c6561e971496148001b40e6d11abc77b10
EAP-Message =
0x3d24354215993fecbb480f1b37332976956dedb358fc6940b163aba159de64c8d0d010ca2763ab97ac9a49242bca00030d3082030930820272a003020102020100300d06092a864886f70d010105050030818b310b300906035504061302494e311630140603550408130d416e6468726150726164657368312a3028060355040a132141726963656e7420546563686e6f6c6f6769657320486f6c64696e6773204c7464311430120603550403130b61726963656e742e636f6d3122302006092a864886f70d0109011613737570706f72744061726963656e742e636f6d301e170d3038303131343133353432335a170d313130313133313335343233
EAP-Message = 0x5a30818b310b300906035504061302494e3116301406
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1350e459ec5897073bcc1e1dfd602e3
Proxy-State = 0x0402a9fe01035ced6f644c91240b7b6a21a92568154c
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:49152, id=31, length=183
NAS-IP-Address = 169.254.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = "aricent"
Calling-Station-Id = "00-90-4B-0A-D5-EF"
Called-Station-Id = "00-19-E1-F0-9B-CE"
NAS-Identifier = "Enterprise Wireless AP"
State = 0xd1350e459ec5897073bcc1e1dfd602e3
EAP-Message = 0x020300061500
Message-Authenticator = 0xd988df4a33e5308aa7e0e6a14115d3c9
Proxy-State = 0x0402a9fe01032240374c4e0a6e1e3e4e1d3e770804e6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_realm: No '@' in User-Name = "aricent", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
users: Matched entry aricent at line 117
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group EAP for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group EAP (returns handled) for request 2
Sending Access-Challenge of id 31 to 192.168.0.1 port 49152
EAP-Message =
0x0104023e15800000063403550408130d416e6468726150726164657368312a3028060355040a132141726963656e7420546563686e6f6c6f6769657320486f6c64696e6773204c7464311430120603550403130b61726963656e742e636f6d3122302006092a864886f70d0109011613737570706f72744061726963656e742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a98417fce906e6178dc3a977532462debec8db9eca46c4982f6dc5e3547cd672652797141d6247ac995215c1b243ed7d41e75f667d57ced14d183d11ea9559665b57c970c6ec7c3b13b2ee2be8e04c1458c48b2bb65e666cc625a9e039
EAP-Message =
0x24b4746a656ff1c84bb65a7599bd60a663bbf5b9f671b430458be2ee0c84e96d6b94690203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414e62817358fee8b0a3e8a8acc7ea5ffd4ec754b15301f0603551d23041830168014e62817358fee8b0a3e8a8acc7ea5ffd4ec754b15300d06092a864886f70d010105050003818100102d22cf048023b588d488c9a74c7cbd389ddcafd2cac5616b38edd44f44891257011e0de4065d2721c8327ef704932e1516e1973df4e043e05e583de3f9b6b9be9b00c8b2
EAP-Message =
0x02b1a1670131aaf7f65160a2783bed9c9b3c960a500790317cd323f800c3eca7978df10551bf7d47353b62b61164a7909b977281415f88ea23bd2516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcc9cdb1c4d40f75283e7d31fe913b487
Proxy-State = 0x0402a9fe01032240374c4e0a6e1e3e4e1d3e770804e6
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:49152, id=32, length=381
NAS-IP-Address = 169.254.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = "aricent"
Calling-Station-Id = "00-90-4B-0A-D5-EF"
Called-Station-Id = "00-19-E1-F0-9B-CE"
NAS-Identifier = "Enterprise Wireless AP"
State = 0xcc9cdb1c4d40f75283e7d31fe913b487
EAP-Message =
0x020400cc15001603010086100000820080298d9c452e473a8689182e7f3d41e2a74d85eb7ec940086b836d78bbe2028211c3a2078fb153965cf8fb87f7ddd485a6bfad1d23b16c6a9083da19d4c748783c1b6c2141f18ba1643be0d6458042c648adbe2574afc25ea12425cfec80d23fc83625129890f3db11b6e528bbf8ae52a51344d144357fca26e6b6e161c9ac33671403010001011603010030a54510919a04c27a9a3e8aff08cb3ac752ed6315a92d83199c0e4bd395b031ff21f711d91c71cc6e7828ec243291deee
Message-Authenticator = 0xbe88eb6a57813dee97eaa1ad42d301df
Proxy-State = 0x0402a9fe010325cd3c914f054a2b159044f72d7324a2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_eap: EAP packet type response id 4 length 204
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
rlm_realm: No '@' in User-Name = "aricent", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
users: Matched entry aricent at line 117
modcall[authorize]: module "files" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group EAP for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group EAP (returns handled) for request 3
Sending Access-Challenge of id 32 to 192.168.0.1 port 49152
EAP-Message =
0x0105004515800000003b140301000101160301003075a2c51f196cd25cb1d7b38f1e1cc91e799da31987f5e7d5235b2796eee25f9687d9136d19f9e994abc42acf796e9d50
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe2cf75fe7b371e389029b6e5c4b253db
Proxy-State = 0x0402a9fe010325cd3c914f054a2b159044f72d7324a2
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 29 with timestamp 47a17263
Cleaning up request 1 ID 30 with timestamp 47a17263
Cleaning up request 2 ID 31 with timestamp 47a17263
Cleaning up request 3 ID 32 with timestamp 47a17263
Nothing to do. Sleeping until we see a request.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
# IEEE 802.1X/EAPOL version
# wpa_supplicant was implemented based on IEEE 802-1X-REV-d8 which defines
# EAPOL version 2. However, there are many APs that do not handle the new
# version number correctly (they seem to drop the frames completely). In order
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
eapol_version=1
# AP scanning/selection
# By default, wpa_supplicant requests driver to perform AP scanning and then
# uses the scan results to select a suitable AP. Another alternative is to
# allow the driver to take care of AP scanning and selection and use
# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
# information from the driver.
# 1: wpa_supplicant initiates scanning and AP selection
# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
# parameters (e.g., WPA IE generation); this mode can also be used with
# non-WPA drivers when using IEEE 802.1X mode
ap_scan=1
# network block
#
# Each network (usually AP's sharing the same SSID) is configured as a separate
# block in this configuration file. The network blocks are in preference order
# (the first match is used).
#
# network block fields:
#
# ssid: SSID (mandatory); either as an ASCII string with double quotation or
# as hex string; network name
#
# scan_ssid:
# 0 = do not scan this SSID with specific Probe Request frames (default)
# 1 = scan with SSID-specific Probe Request frames (this can be used to
# find APs that do not accept broadcast SSID or use multiple SSIDs;
# this will add latency to scanning, so enable this only when needed)
#
# bssid: BSSID (optional); if set, this network block is used only when
# associating with the AP using the configured BSSID
#
# priority: priority group (integer)
# By default, all networks will get same priority group (0). If some of the
# networks are more desirable, this field can be used to change the order in
# which wpa_supplicant goes through the networks when selecting a BSS. The
# priority groups will be iterated in decreasing priority (i.e., the larger the
# priority value, the sooner the network is matched against the scan results).
# Within each priority group, networks will be selected based on security
# policy, signal strength, etc.
# Please note that AP scanning with scan_ssid=1 is not using this priority to
# select the order for scanning. Instead, it uses the order the networks are in
# the configuration file.
#
# proto: list of accepted protocols
# WPA = WPA/IEEE 802.11i/D3.0
# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
# If not set, this defaults to: WPA RSN
#
# key_mgmt: list of accepted authenticated key management protocols
# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
# WPA-EAP = WPA using EAP authentication (this can use an external
# program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication
# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
# generated WEP keys
# NONE = WPA is not used; plaintext or static WEP could be used
# If not set, this defaults to: WPA-PSK WPA-EAP
#
# pairwise: list of accepted pairwise (unicast) ciphers for WPA
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# NONE = Use only Group Keys (deprecated, should not be included if APs support
# pairwise keys)
# If not set, this defaults to: CCMP TKIP
#
# group: list of accepted group (broadcast/multicast) ciphers for WPA
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
# If not set, this defaults to: CCMP TKIP WEP104 WEP40
#
# psk: WPA preshared key; 256-bit pre-shared key
# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
# generated using the passphrase and SSID). ASCII passphrase must be between
# 8 and 63 characters (inclusive).
# This field is not needed, if WPA-EAP is used.
# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
# startup and reconfiguration time can be optimized by generating the PSK only
# only when the passphrase or SSID has actually changed.
#
# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
# Dynamic WEP key require for non-WPA mode
# bit0 (1): require dynamically generated unicast WEP key
# bit1 (2): require dynamically generated broadcast WEP key
# (3 = require both keys; default)
#
# Following fields are only used with internal EAP implementation.
# eap: space-separated list of accepted EAP methods
# MD5 = EAP-MD5 (unsecure and does not generate keying material ->
# cannot be used with WPA; to be used as a Phase 2 method
# with EAP-PEAP or EAP-TTLS)
# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
# OTP = EAP-OTP (cannot be used separately with WPA; to be used
# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
# GTC = EAP-GTC (cannot be used separately with WPA; to be used
# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
# TLS = EAP-TLS (client and server certificate)
# PEAP = EAP-PEAP (with tunnelled EAP authentication)
# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
# authentication)
# If not set, all compiled in methods are allowed.
#
# identity: Identity string for EAP
# anonymous_identity: Anonymous identity string for EAP (to be used as the
# unencrypted identity with EAP types that support different tunnelled
# identity, e.g., EAP-TTLS)
# password: Password string for EAP
# ca_cert: File path to CA certificate file. This file can have one or more
# trusted CA certificates. If ca_cert is not included, server certificate
# will not be verified. This is insecure and the CA file should always be
# configured.
# client_cert: File path to client certificate file
# private_key: File path to client private key file
# private_key_passwd: Password for private key file
# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
# (string with field-value pairs, e.g., "peapver=0" or
# "peapver=1 peaplabel=1")
# 'peapver' can be used to force which PEAP version (0 or 1) is used.
# 'peaplabel=1' can be used to force new label, "client PEAP encryption",
# to be used during key derivation when PEAPv1 or newer. Most existing
# PEAPv1 implementation seem to be using the old label, "client EAP
# encryption", and wpa_supplicant is now using that as the default value.
# Some servers, e.g., Radiator, may require peaplabel=1 configuration to
# interoperate with PEAPv1; see eap_testing.txt for more details.
# 'peap_outer_success=0' can be used to terminate PEAP authentication on
# tunneled EAP-Success. This is required with some RADIUS servers that
# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
# (string with field-value pairs, e.g., "auth=MSCHAPV2")
# Following certificate/private key fields are used in inner Phase2
# authentication when using EAP-TTLS or EAP-PEAP.
# ca_cert2: File path to CA certificate file. This file can have one or more
# trusted CA certificates. If ca_cert2 is not included, server
# certificate will not be verified. This is insecure and the CA file
# should always be configured.
# client_cert2: File path to client certificate file
# private_key2: File path to client private key file
# private_key2_passwd: Password for private key file
# EAP-TLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
# use. Real identity is sent only within an encrypted TLS tunnel.
network={
ssid="whack_wpa2!"
proto=RSN
key_mgmt=WPA-EAP
eap=TTLS
identity="aricent"
anonymous_identity="aricent"
private_key_passwd="aricent"
ca_cert="/home/aseemg/iapp/wpa_supplicant-0.2.6/srk/cacert.pem"
phase2="auth=MSCHAPV2"
}
# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = ttls
#default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# To generate ctest certificates, run the script
#
# ../scripts/certs.sh
#
# The documents on http://www.freeradius.org/doc
# are old, but may be helpful.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
#private_key_password = whatever
private_key_password =aricent
#private_key_file = ${raddbdir}/certs/cert-srv.pem
#private_key_file =/etc/1x/aricent_server_keycert.pem
private_key_file = /etc/1x/aricent_server_keycert.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
# certificate_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = /etc/1x/aricent_server_keycert.pem
# Trusted Root CA list
CA_file = /etc/1x/cacert.pem
dh_file = /etc/1x/dh
random_file = /etc/1x/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) Add 'CA_path=<CA certs&CRLs directory>'
# to radiusd.conf's tls section.
# 4) uncomment the line below.
# 5) Restart radiusd
check_crl = no
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer =
"/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
# default_eap_type = md5
default_eap_type = mschapv2
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
# copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = yes
}
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
# copy_request_to_tunnel = no
# use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
