Freeradius-Devel Digest, Vol 112, Issue 6

Ammu Argh ammu3634 at gmail.com
Fri Aug 8 18:21:54 CEST 2014 

Hi Stefan,

Thank you for reply.
But By default FR takes MS-CHAPv2.  How to configure to GTC/PAP?

However i will try FR connects to samba or active directory.

Regards
Ammu


On Fri, Aug 8, 2014 at 3:30 PM, <
freeradius-devel-request at lists.freeradius.org> wrote:

> Send Freeradius-Devel mailing list submissions to
>         freeradius-devel at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-devel
> or, via email, send a message with subject or body 'help' to
>         freeradius-devel-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-devel-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Devel digest..."
>
>
> Today's Topics:
>
>    1. RE: EAP-FAST phase2 failed (Stefan Paetow)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 7 Aug 2014 21:25:46 +0000
> From: Stefan Paetow <Stefan.Paetow at ja.net>
> To: FreeRadius developers mailing list
>         <freeradius-devel at lists.freeradius.org>
> Subject: RE: EAP-FAST phase2 failed
> Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF at EXC001>
> Content-Type: text/plain; charset="iso-8859-1"
>
> The log says this:
>
> EAP-MSCHAPV2: eap_server Password not configured
> EAP-FAST: Phase2 method failed
> EAP-FAST: PHASE2_METHOD -> FAILURE
>
> Leads me to believe you either need to configure EAP-FAST to use EAP-GTC
> or PAP as the second phase, or connect FR to SAMBA or Active Directory
> (which both speak MSCHAPv2).
>
> Stefan
>
> ________________________________
> From: freeradius-devel-bounces+stefan.paetow=ja.net at lists.freeradius.org
> [freeradius-devel-bounces+stefan.paetow=ja.net at lists.freeradius.org] on
> behalf of Ammu Argh [ammu3634 at gmail.com]
> Sent: 07 August 2014 17:16
> To: freeradius-devel at lists.freeradius.org
> Subject: EAP-FAST phase2 failed
>
> Hi,
>
> I was trying to connect to AP using EAP-FAST authentication.
> But Freeradius EAP-FAST failed with below error:
>
>   State = 0x97d5bb340dc1cb0c525e6b44738f3553
>         Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 4 length 107
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> [files] users: Matched entry DEFAULT at line 202
> ++[files] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.
>  Authentication may fail because of this.
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +group EAP {
> [eap2] Request found, released from the list
> EAP: EAP entering state RECEIVED
> EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0
> respVendorMethod=0
> EAP: EAP entering state INTEGRITY_CHECK
> EAP: EAP entering state METHOD_RESPONSE
> SSL: Received packet(len=107) - Flags 0x01
> SSL: Received packet: Flags 0x1 Message Length 0
> EAP-FAST: Received 101 bytes encrypted data for Phase 2
> EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]
> EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)
> EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28
> 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77
> 69 66 69
> EAP-FAST: Received Phase 2: code=2 identifier=4 length=63
> EAP-MSCHAPV2: eap_server Password not configured
> EAP-FAST: Phase2 method failed
> EAP-FAST: PHASE2_METHOD -> FAILURE
> EAP: EAP entering state SELECT_ACTION
> EAP: getDecision: method failed -> FAILURE
> EAP: EAP entering state FAILURE
> EAP: Building EAP-Failure (id=4)
> ==> Fail
> [eap2] Freeing handler
> EAP: Server state machine removed
> ++[eap2] = reject
> +} # group EAP = reject
> Failed to authenticate the user.
> Using Post-Auth-Type REJECT
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> anonymous
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 4 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 4
> Sending Access-Reject of id 117 to 10.10.2.2 port 46531
>         EAP-Message = 0x04040004
>         Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
>
>
> Other details are as below"
>
> Users file"
> wifi  Auth-Type := EAP, Cleartext-Password := "welcome123"
>
> eap.conf
> eap2 {
>                 fast {
>                         pac_opaque_encr_key =
> 000102030405060708090a0b0c0d0e0f
>                         eap_fast_a_id = tjsys
>                         eap_fast_a_id_info = my_server
>                         eap_fast_prov = 3
>                         pac_key_lifetime = 604800 # 7 days
>                         pac_key_refresh_tim = 86400
>                 }
>
>                 tls {
>                         ca_cert = /usr/local/etc/raddb/certs/ca.pem
>                         server_cert = /usr/local/etc/raddb/certs/server.pem
>                         private_key_file =
> /usr/local/etc/raddb/certs/server.key
>                         private_key_password = whatever
>                         dh_file = /usr/local/etc/raddb/certs/dh
>                         random_file = /usr/local/etc/raddb/certs/random
>                 }
>         }
>
>
> Sites-enabled/default:
> Added in authenticate block
> Auth-Type EAP {
>                 eap2
>         }
>
>
>
> wpa_supplicant.conf
> update_config=1
> ap_scan=1
> fast_reauth=1
>
> network={
>         ssid="WiFi-11g"
>         key_mgmt=WPA-EAP
>         proto=WPA
>         pairwise=TKIP
>         group=TKIP
>         eap=FAST
>         anonymous_identity="fast"
>         identity="fast"
>         password="koro"
>         phase1="fast_provisioning=3"
>         pac_file="/data/misc/wifi/eap_fast.pac"
> }
>
>
>
> FreeRADIUS Version 2.2.5,
> OpenSSL 1.0.1e 11
> Ubuntu 14.04.1
>
> Please help me to get it work.
>
> Regards
> Ammu
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>
>
> End of Freeradius-Devel Digest, Vol 112, Issue 6
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140808/436f506a/attachment.html>

More information about the Freeradius-Devel mailing list