freeradius-1.0.4 and MAC address authentication w/ win xp supplicant
John C. Koen
jck-freeradius at southwestern.edu
Wed Aug 29 18:41:52 CEST 2007
I am running freeradius-1.0.4 on SLES10, XP supplicant and Cisco Aironet 1200 AP.
My goal is to authenticate against the "users" file and use WEP with eap-tls.
I am trying to support Windows CE, and PEAP is not an option.
users:
0213dec2114a Auth-Type:=Accept
Service-Type = Framed-User,
Tunnel-Private-Group-ID := 116,
Tunnel-Medium-Type := IEEE-802
eap.conf:
eap {
default_eap_type = tls
tls {
private_key_password = secret
private_key_file = ${raddbdir}/certs/private/radius.key
certificate_file = /etc/raddb/certs/radius.crt
# Trusted Root CA list
CA_file = /etc/raddb/certs/CA.crt
dh_file = ${raddbdir}/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
}
}
radiusd.conf:
authorize {
auth_log
files
eap
}
authenticate {
eap
}
I have uploaded both the CA andd certificate file to the supplicant, as
trusted certificates. For some reason, I continue to see the balloon from
windows indicating that a valid certificate could not be found for comparison.
I have followed the PDF instructions found in EAPTLS.pdf.
Here is a sample of my radiusd -X -s logs:
rad_recv: Access-Request packet from host 192.168.214.99:1645, id=39, length=115
User-Name = "0213dec2114a"
User-Password = "Qp\203e\206%\010`\256\243\203u;\362\321\017"
Called-Station-Id = "0014.6a73.6110"
Calling-Station-Id = "0213.dec2.114a"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 551
NAS-IP-Address = 192.168.214.99
NAS-Identifier = "AP-99"
rad_rmspace_pair: User-Password now 'Qp?d?%?`?u;?'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat: '/var/log/radius/radius-MAC/radacct/auth-detail-20070829'
rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct//auth-detail-20070829
modcall[authorize]: module "auth_log" returns ok for request 2
users: Matched entry 0213dec2114a at line 38
modcall[authorize]: module "files" returns ok for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 2
radius_xlat: '/var/log/radius/radius-MAC/radacct/reply-detail-20070829'
rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct/reply-detail-20070829
modcall[post-auth]: module "reply_log" returns ok for request 2
modcall: group post-auth returns ok for request 2
Sending Access-Accept of id 39 to 192.168.214.99:1645
Service-Type = Framed-User
Tunnel-Private-Group-Id:0 := "116"
Tunnel-Medium-Type:0 := IEEE-802
Finished request 2
Going to the next request
--- Walking the entire request list ---
...this transaction is repeated over and over and over again.
I have also tried commenting out all instances of "eap" from radiusd.conf, hoping
to do non-wep mac address authentication, as a list effort. I then remove
WEP support from the supplicant and Cisco AP. While freeradius reports
"access-accept", the supplicant hangs on obtaining an ip address (with no related
logs shown on my dhcp server) and the cisco AP reports "GMT: %DOT11-7-AUTH_FAILED:
Station 0213.dec2.114a Authentication failed"
--johnk
More information about the Freeradius-Users
mailing list