WPA/RADIUS Problems

Loukas Kalenderidis loukas at hb.com.au
Tue Sep 5 01:51:03 CEST 2006


Hi,

On 04/09/2006, at 11:36 AM, Alan DeKok wrote:

> Loukas Kalenderidis <loukas at hb.com.au> wrote:
>> I've been trying to use an existing user that works with dialup
>> access, but kept having authorization rejected, so I decided to try
>> configuring that test user with Auth-Type:= Accept to simplify the
>> problem. Bad idea? I was under the impression I don't need
>> certificates unless I'm using TLS, is this incorrect?
>
>   As I said in my previous message, you need to configure users,
> passwords, and certificates for it to work.
>
>   You can believe me, or you can continue doing what you're doing now,
> which doesn't work.

I asked you questions relating to your statement in your previous  
message and you didn't really answer them. Can you elaborate on  
"configure users, passwords and certificates for it to work" please?  
Do you mean the users file needs specific configuration to work with  
WPA-EAP? And as I said before, I was under the impression I don't  
need certificates unless I'm using TLS, am I wrong? I'm happy to  
follow your advice, if you give me some that isn't just "configure  
stuff dude".

This is what the debug log says when I connect now:

rad_recv: Access-Request packet from host 10.0.0.100:1026, id=0,  
length=193
         Message-Authenticator = 0x5206d718f6573c1eb840261956ec4ed5
         Service-Type = Framed-User
         User-Name = "pants"
         Framed-MTU = 1488
         Called-Station-Id = "00-11-95-DB-37-0B:TestWPA"
         Calling-Station-Id = "00-0D-93-86-48-8E"
         NAS-Identifier = "D-Link Access Point"
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 54Mbps 802.11g"
         EAP-Message = 0x0200000a0170616e7473
         NAS-IP-Address = 10.0.0.100
         NAS-Port = 1
         NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
   rlm_eap: EAP packet type response id 0 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 0
     rlm_realm: No '@' in User-Name = "pants", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat:  'pants'
rlm_sql (sql): sql_set_user escaped user --> 'pants'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM  
dialup_radcheck WHERE Username = 'pants' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User pants not found in radcheck
radius_xlat:  'SELECT  
dialup_radgroupcheck.id,dialup_radgroupcheck.GroupName,dialup_radgroupch 
eck.Attribute,dialup_radgroupcheck.Value,dialup_radgroupcheck.op   
FROM dialup_radgroupcheck,dialup_usergroup WHERE  
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =  
dialup_radgroupcheck.GroupName ORDER BY dialup_radgroupcheck.id'
radius_xlat:  'SELECT  
dialup_radgroupreply.id,dialup_radgroupreply.GroupName,dialup_radgroupre 
ply.Attribute,dialup_radgroupreply.Value,dialup_radgroupreply.op   
FROM dialup_radgroupreply,dialup_usergroup WHERE  
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =  
dialup_radgroupreply.GroupName ORDER BY dialup_radgroupreply.id'
rlm_sql (sql): User pants not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
   modcall[authorize]: module "sql" returns notfound for request 0
     users: Matched entry pants at line 47
     users: Matched entry DEFAULT at line 156
     users: Matched entry DEFAULT at line 175
   modcall[authorize]: module "files" returns ok for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
   rad_check_password:  Found Auth-Type Accept
   rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E)
Sending Access-Accept of id 0 to 10.0.0.100:1026
         Framed-IP-Address = 255.255.255.254
         Framed-MTU = 576
         Service-Type = Framed-User
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.0.0.100:1026, id=0,  
length=38
Authentication reply packet code 2 sent to a non-proxy reply port  
from client testap:1026 - ID 0 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.0.100:1026, id=1,  
length=193
         Message-Authenticator = 0x593aef9381f04eb85805621b1ee22f6d
         Service-Type = Framed-User
         User-Name = "pants"
         Framed-MTU = 1488
         Called-Station-Id = "00-11-95-DB-37-0B:TestWPA"
         Calling-Station-Id = "00-0D-93-86-48-8E"
         NAS-Identifier = "D-Link Access Point"
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 54Mbps 802.11g"
         EAP-Message = 0x0201000a0170616e7473
         NAS-IP-Address = 10.0.0.100
         NAS-Port = 1
         NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
   modcall[authorize]: module "preprocess" returns ok for request 1
   modcall[authorize]: module "chap" returns noop for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
   rlm_eap: EAP packet type response id 1 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 1
     rlm_realm: No '@' in User-Name = "pants", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 1
radius_xlat:  'pants'
rlm_sql (sql): sql_set_user escaped user --> 'pants'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM  
dialup_radcheck WHERE Username = 'pants' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User pants not found in radcheck
radius_xlat:  'SELECT  
dialup_radgroupcheck.id,dialup_radgroupcheck.GroupName,dialup_radgroupch 
eck.Attribute,dialup_radgroupcheck.Value,dialup_radgroupcheck.op   
FROM dialup_radgroupcheck,dialup_usergroup WHERE  
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =  
dialup_radgroupcheck.GroupName ORDER BY dialup_radgroupcheck.id'
radius_xlat:  'SELECT  
dialup_radgroupreply.id,dialup_radgroupreply.GroupName,dialup_radgroupre 
ply.Attribute,dialup_radgroupreply.Value,dialup_radgroupreply.op   
FROM dialup_radgroupreply,dialup_usergroup WHERE  
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =  
dialup_radgroupreply.GroupName ORDER BY dialup_radgroupreply.id'
rlm_sql (sql): User pants not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 3
   modcall[authorize]: module "sql" returns notfound for request 1
     users: Matched entry pants at line 47
     users: Matched entry DEFAULT at line 156
     users: Matched entry DEFAULT at line 175
   modcall[authorize]: module "files" returns ok for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns updated for request 1
   rad_check_password:  Found Auth-Type Accept
   rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E)
Sending Access-Accept of id 1 to 10.0.0.100:1026
         Framed-IP-Address = 255.255.255.254
         Framed-MTU = 576
         Service-Type = Framed-User
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 44fcba57
Waking up in 4 seconds...
rad_recv: Access-Accept packet from host 10.0.0.100:1026, id=1,  
length=38
Authentication reply packet code 2 sent to a non-proxy reply port  
from client testap:1026 - ID 1 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 1 with timestamp 44fcba5b
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.0.0.100:1026, id=2,  
length=193
         Message-Authenticator = 0xf0a27f90359498a1ec16af5eb7268366
         Service-Type = Framed-User
         User-Name = "pants"
         Framed-MTU = 1488
         Called-Station-Id = "00-11-95-DB-37-0B:TestWPA"
         Calling-Station-Id = "00-0D-93-86-48-8E"
         NAS-Identifier = "D-Link Access Point"
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 54Mbps 802.11g"
         EAP-Message = 0x0202000a0170616e7473
         NAS-IP-Address = 10.0.0.100
         NAS-Port = 1
         NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
   modcall[authorize]: module "preprocess" returns ok for request 2
   modcall[authorize]: module "chap" returns noop for request 2
   modcall[authorize]: module "mschap" returns noop for request 2
   rlm_eap: EAP packet type response id 2 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 2
     rlm_realm: No '@' in User-Name = "pants", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 2
radius_xlat:  'pants'
rlm_sql (sql): sql_set_user escaped user --> 'pants'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM  
dialup_radcheck WHERE Username = 'pants' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): User pants not found in radcheck
radius_xlat:  'SELECT  
dialup_radgroupcheck.id,dialup_radgroupcheck.GroupName,dialup_radgroupch 
eck.Attribute,dialup_radgroupcheck.Value,dialup_radgroupcheck.op   
FROM dialup_radgroupcheck,dialup_usergroup WHERE  
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =  
dialup_radgroupcheck.GroupName ORDER BY dialup_radgroupcheck.id'
radius_xlat:  'SELECT  
dialup_radgroupreply.id,dialup_radgroupreply.GroupName,dialup_radgroupre 
ply.Attribute,dialup_radgroupreply.Value,dialup_radgroupreply.op   
FROM dialup_radgroupreply,dialup_usergroup WHERE  
dialup_usergroup.Username = 'pants' AND dialup_usergroup.GroupName =  
dialup_radgroupreply.GroupName ORDER BY dialup_radgroupreply.id'
rlm_sql (sql): User pants not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 2
   modcall[authorize]: module "sql" returns notfound for request 2
     users: Matched entry pants at line 47
     users: Matched entry DEFAULT at line 156
     users: Matched entry DEFAULT at line 175
   modcall[authorize]: module "files" returns ok for request 2
   modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
   rad_check_password:  Found Auth-Type Accept
   rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pants] (from client testap port 1 cli 00-0D-93-86-48-8E)
Sending Access-Accept of id 2 to 10.0.0.100:1026
         Framed-IP-Address = 255.255.255.254
         Framed-MTU = 576
         Service-Type = Framed-User
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 10.0.0.100:1026, id=2,  
length=38
Authentication reply packet code 2 sent to a non-proxy reply port  
from client testap:1026 - ID 2 : IGNORED
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 2 with timestamp 44fcba61
Nothing to do.  Sleeping until we see a request.


Thanks,
Loukas



More information about the Freeradius-Users mailing list