How to configure EAP Identity in 1.1.3
Govardhana K N
govardhan.nagarajaiah at gmail.com
Tue Jul 17 06:57:15 CEST 2007
Kedar,
I have used response becoz, I will be sending a EAP-Identity reponse
packet to the Radius Server. So the code field is not Request it should be
Response.
All,
Thanks for the help. I was able send the EAP message with EAP-Type-Identity
field.
I have got an Access-Challenge response from the server, and the
Access-Request sent in response to this challenge is failing (Access-Reject
is sent by the server). Below i have given the debug log from the server,
--------------------------------------------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:32825, id=60, length=113
User-Name = "jrc"
User-Password = "jrc"
NAS-Identifier = "jrcnas"
NAS-Port-Type = Ethernet
CUI = "0"
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = "1:1:1:1:1:1"
Message-Authenticator = 0xaff453c7f7e3dc3639458de9740366a1
EAP-Message = 0x02d20008016a7263
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 210 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 152
users: Matched entry jrc at line 179
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 60 to 127.0.0.1 port 32825
CUI = "jrccui"
Class = 0x6a7263636c617373
State = 0x6a72637374617465
Framed-MTU = 1400
Framed-IP-Address = 1.2.3.4
Service-Type = Framed-User
Session-Timeout = 30
MS-MPPE-Send-Key = 0x6a72636d736b
MS-MPPE-Recv-Key = 0x6a7263726563766d736b
AAA-Session-Id = "jrcmultisessionid"
HA-IP-MIP4 = 1.1.1.1
DHCPv4-Server = 2.2.2.2
MN-HA-MIP4-KEY = "jrcmipkey"
MN-HA-MIP4-SPI = "jrcmipspi"
DHCP-RK = "jrcdhcprk"
DHCP-RK-KEY-ID = "jrcdhcpkey"
DHCP-RK-LIFETIME = "20"
EAP-Message = 0x01d300160410e0ccb378852f7a673815379d2f819db1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8343fbb52835fa0fb7fb84cab7f7a0db
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32825, id=61, length=155
User-Name = "jrc"
User-Password = "jrc"
NAS-Identifier = "jrcnas"
NAS-Port-Type = Ethernet
CUI = "0"
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = "1:1:1:1:1:1"
Message-Authenticator = 0x8dc52d59961b5eb7d8789f7cb4dbea5a
State = 0x6a72637374617465
State = 0x8343fbb52835fa0fb7fb84cab7f7a0db
EAP-Message = 0x02d300160410d3ab9cde585da0c10b343d38433fa0db
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 211 length 22
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 152
users: Matched entry jrc at line 179
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32825, id=61, length=155
Sending Access-Reject of id 61 to 127.0.0.1 port 32825
--------------------------------------------------------------------------------------------------------------------------------
Thanks & Regards,
Govardhana K N
On 7/16/07, Gaonkar, Kedar <kgaonkar at qualcomm.com> wrote:
>
> Why is the Code field of the EAP message 01? Isn't that a REQUEST message?
> Please correct me if I am wrong, but I thought the RADIUS server should get
> a Response packet with Code 2 and Type should be 1 (EAP Resp/Identity
> packet). May be it didnt get the Identity packet, and hence it cannot verify
> the Identity.
>
> Regards
> - Kedar Gaonkar
>
>
> Date: Mon, 16 Jul 2007 15:58:57 +0000 (GMT)
> From: Eshun Benjamin <bkeshun at yahoo.fr>
> Subject: Re : How to configure EAP Identity in 1.1.3
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <952625.72889.qm at web26009.mail.ukl.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Check on your AP, client.conf and naslist
>
> ==================================================
> Benjamin K. Eshun
>
> ----- Message d'origine ----
> De : Govardhana K N <govardhan.nagarajaiah at gmail.com>
> ? : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoy? le : Lundi, 16 Juillet 2007, 13h28mn 28s
> Objet : How to configure EAP Identity in 1.1.3
>
> I changed it but the same error is still coming.
>
>
> On 7/16/07, Eshun Benjamin <bkeshun at yahoo.fr> wrote:
>
>
> You have misconfigured the Nas-Identifier
>
> > govardhana Nas-Identifier == nas, Nas-Port-Type == 15
>
> You have NAS-Identifier = "jrcnas"
>
> ==================================================
>
>
> Benjamin K. Eshun
>
>
>
> ----- Message d'origine ----
> De : Govardhana K N <
> govardhan.nagarajaiah at gmail.com>
> ? : FreeRadius <freeradius-users at lists.freeradius.org
> >
> Envoy? le : Lundi, 16 Juillet 2007, 12h24mn 09s
> Objet : How to configure EAP Identity in 1.1.3
>
>
>
> Hi,
>
>
>
> I was trying to configure FreeRadius server with EAP authentication. AS
> mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending
> a EAP message, and Message-Authenticator attributes in Access-Request. When
> i tried sending an Access-Request with EAP-Message, I got the following
> error "rlm_eap: Identity Unknown, authentication failed".
>
>
>
>
> How to configure the Identity for EAP?
>
>
>
> debug log from server:
>
> ---------------------------------
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/freeradius/proxy.conf
> Config: including file: /etc/freeradius/clients.conf
> Config: including file: /etc/freeradius/snmp.conf
>
> Config: including file: /etc/freeradius/eap.conf
> Config: including file: /etc/freeradius/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/freeradius"
>
> main: libdir = "/usr/lib/freeradius"
> main: radacctdir = "/var/log/freeradius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
>
> main: delete_blocked_requests = 0
> main: port = 1812
> main: allow_core_dumps = no
> main: log_stripped_names = yes
> main: log_file = "/var/log/freeradius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
>
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/freeradius/freeradius.pid"
> main: bind_address =
> 127.0.0.1 IP address [127.0.0.1]
> main: user = "freerad"
> main: group = "freerad"
>
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
>
> main: proxy_requests = no
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
>
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
>
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/lib/freeradius
> Module: Loaded exec
> exec: wait = no
> exec: program = "(null)"
>
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
>
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
>
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
>
> unix: cache = no
> unix: passwd = "/etc/passwd"
> unix: shadow = "/etc/shadow"
> unix: group = "/etc/group"
> unix: radwtmp = "/var/log/freeradius/radwtmp"
> unix: usegroup = no
>
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
>
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> mschapv2: with_ntdomain_hack = no
>
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/freeradius/huntgroups"
> preprocess: hints = "/etc/freeradius/hints"
>
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
>
> preprocess: with_alvarion_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
>
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/etc/freeradius/users"
> files: acctusersfile = "/etc/freeradius/acct_users"
> files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
>
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
>
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
>
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/var/log/freeradius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
>
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication
> 127.0.0.1:1812
> Listening on accounting 127.0.0.1:1813
> Ready to process requests.
> rad_recv: Access-Request packet from host
> 127.0.0.1:32813, id=179, length=95
> User-Name = "jrc"
> NAS-Identifier = "jrcnas"
>
> NAS-Port-Type = Ethernet
> CUI = "0"
> Service-Type = Framed-User
> Framed-MTU = 1400
> Calling-Station-Id = "1:1:1:1:1:1"
> EAP-Message = 0x01100008016a7263
>
> Message-Authenticator = 0x64c5851b699cd2c027877bbb94fe7f8b
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
>
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No
> '@' in User-Name = "jrc", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type request id 16 length 8
>
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched entry DEFAULT at line 152
> users: Matched entry jrc at line 178
>
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
>
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: Identity Unknown, authentication failed
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 0
>
> modcall: leaving group authenticate (returns invalid) for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
>
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 179 to
> 127.0.0.1 port 32813
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 179 with timestamp 469b9233
> Nothing to do. Sleeping until we see a request.
>
>
>
> debug log from Client:
>
> -------------------------------------
>
> cheux301:/home/govardhana# radeapclient -x localhost auth jrcsecret
> <access-request
>
> +++> About to send encoded packet:
> User-Name = "jrc"
> NAS-Identifier = "jrcnas"
> NAS-Port-Type = Ethernet
> CUI = "0"
> Service-Type = Framed-User
>
> Framed-MTU = 1400
> Calling-Station-Id = "1:1:1:1:1:1"
> EAP-Message = 0x01100008016a7263
> Message-Authenticator = 0x00
> Sending Access-Request of id 179 to
> 127.0.0.1 port 1812
> User-Name = "jrc"
> NAS-Identifier = "jrcnas"
> NAS-Port-Type = Ethernet
> CUI = "0"
> Service-Type = Framed-User
> Framed-MTU = 1400
>
> Calling-Station-Id = "1:1:1:1:1:1"
> EAP-Message = 0x01100008016a7263
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Reject packet from host
> 127.0.0.1:1812, id=179, length=20
> rlm_eap: EAP-Message not found
> <+++ EAP decoded packet:
>
>
>
>
> Thanks & Regards,
>
> Govardhana K N
>
>
>
>
>
>
>
> --
> With Regards,
> Govardhana K N
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
>
>
>
>
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
> Mail
>
> -
>
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
> --
> With Regards,
> Govardhana K N
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
With Regards,
Govardhana K N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070717/942b74e6/attachment.html>
More information about the Freeradius-Users
mailing list