Re: Testing EAP-PEAP with freeradius

Alan DeKok wrote:

Bin Chen wrote:

By checking the radius log, I found this:

 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/mschapv2
 rlm_eap: processing type mschapv2
 ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
action.


  Why did you deleted the "mschapv2" text from the stock radiusd.conf?


This is my config file, whats wrong?

##
## radiusd.conf    -- FreeRADIUS server configuration file.
##
##    http://www.freeradius.org/
##    $Id: radiusd.conf.in,v 1.161 2003/11/17 18:10:27 kkalev Exp $
##

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /usr/local/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 192.168.1.104
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
Checkrad = ${sbindir}/checkrad
security {
   max_attributes = 200
   reject_delay = 1
   status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
   start_servers = 5
   max_servers = 32
   min_spare_servers = 3
   max_spare_servers = 10
   max_requests_per_server = 0
}
modules {
   pap {
       encryption_scheme = crypt
   }
   chap {
       authtype = CHAP
   }
   pam {
       pam_auth = radiusd
   }
   eap {
#        default_eap_type = tls
       default_eap_type = peap
       timer_expire     = 60
       ignore_unknown_eap_types = no
       md5 {
       }
       leap {
       }
       tls {
           private_key_password = whatever
           private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
           certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
           CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
           dh_file = /usr/local/etc/raddb/certs/dh
           random_file = /usr/local/etc/raddb/certs/random
           fragment_size = 1024
           include_length = yes
       }
       ttls {
           default_eap_type = md5
           copy_request_to_tunnel = no
use_tunneled_reply = no } 
       peap {
       }
       mschapv2 {
       }
   }
   mschap {
       authtype = MS-CHAP
   }
   ldap {
       server = "ldap.your.domain"
       basedn = "o=My Org,c=UA"
       filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
       start_tls = no
       access_attr = "dialupAccess"
       dictionary_mapping = ${raddbdir}/ldap.attrmap
       ldap_connections_number = 5
       timeout = 4
       timelimit = 3
       net_timeout = 1
   }
   realm realmslash {
       format = prefix
       delimiter = "/"
   }
   realm suffix {
       format = suffix
       delimiter = "@"
   }
   realm realmpercent {
       format = suffix
       delimiter = "%"
   }
   preprocess {
       huntgroups = ${confdir}/huntgroups
       hints = ${confdir}/hints
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
   }
   files {
       usersfile = ${confdir}/users
       acctusersfile = ${confdir}/acct_users
       compat = no
   }
   detail {
       detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
       detailperm = 0600
   }
   acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" 
   }
   radutmp {
       filename = ${logdir}/radutmp
       username = %{User-Name}
       case_sensitive = yes
check_with_nas = yes perm = 0600 
       callerid = "yes"
   }
   radutmp sradutmp {
       filename = ${logdir}/sradutmp
       perm = 0644
       callerid = "no"
   }
   attr_filter {
       attrsfile = ${confdir}/attrs
   }
   counter daily {
       filename = ${raddbdir}/db.daily
       key = User-Name
       count-attribute = Acct-Session-Time
       reset = daily
       counter-name = Daily-Session-Time
       check-name = Max-Daily-Session
       allowed-servicetype = Framed-User
       cache-size = 5000
   }
   always fail {
       rcode = fail
   }
   always reject {
       rcode = reject
   }
   always ok {
       rcode = ok
       simulcount = 0
       mpp = no
   }
   expr {
   }
   digest {
   }
   exec {
       wait = yes
       input_pairs = request
   }
   exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = request
       output_pairs = reply
   }
   ippool main_pool {
       range-start = 192.168.1.1
       range-stop = 192.168.3.254
       netmask = 255.255.255.0
       cache-size = 800
       session-db = ${raddbdir}/db.ippool
       ip-index = ${raddbdir}/db.ipindex
       override = no
   }
}
instantiate {
   expr
}
authorize {
   preprocess
   eap
   realmslash
   suffix
   files
}
authenticate {
   eap
}
preacct {
   preprocess
   suffix
   files
}
accounting {
   acct_unique
   detail
   radutmp
}
session {
   radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
   eap
}


  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.