Basic usage: What do I do next to get this to work?
Doc. Caliban
doc.caliban at gmail.com
Tue Oct 30 19:49:36 CET 2007
Hello,
I hate to ask this, but I'm running out of time on this project and I'm
completely new to RADIUS. I would be really happy if someone could just
point me to a detailed HOW TO for what I need.
I have freeRADIUS set up with an external MySQL user database and it's
successfully authorizing requests from NTRadPing.
Now I need to actually try it out "In the field". I need people running
XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL
database that I have set up.
So far I'm not having any luck, and I don't mind saying that I'm a
little over my head at this point. Someone familiar with this will
probably see glaring problems.
I will provide all the details I can think of, but please let me know if
you need more.
Server:
FreeRADIUS 1.1.7 with MySQL module.
Database:
Remote MySQL
Access Point:
D-Link DWL-7100AP (Ciscos coming in January)
WPA-EAP
TKIP
Client Laptop:
WPA Enterprise
TKIP
PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST)
MS-CHAP-V2 (Other options: GTC, TLS)
I set up an AP to use RADIUS, and the requests get through to the RADIUS
server, but they always fail. Posted below is the debug output from the
failed attempt.
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0,
> length=193
> Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0
> Service-Type = Framed-User
> User-Name = "testuser"
> Framed-MTU = 1488
> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM"
> Calling-Station-Id = "00-1B-77-28-B3-CF"
> NAS-Identifier = "D-Link Access Point"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 54Mbps 802.11a"
> EAP-Message = 0x0200000b01746261727468
> NAS-IP-Address = 192.168.0.1
> NAS-Port = 1
> NAS-Port-Id = "STA port # 1"
> rad_lowerpair: User-Name now 'testuser'
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 0 length 11
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> radius_xlat: 'testuser'
> rlm_sql (sql): sql_set_user escaped user --> 'testuser'
> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
> FROM radcheck WHERE Username = 'testuser' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 4
> radius_xlat: 'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
> FROM radreply WHERE Username = 'testuser' ORDER BY id'
> radius_xlat: 'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql (sql): Released sql socket id: 4
> modcall[authorize]: module "sql" returns ok for request 0
> rlm_pap: Found existing Auth-Type, not changing it.
> modcall[authorize]: module "pap" returns noop for request 0
> modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: leaving group authenticate (returns handled) for request 0
> Sending Access-Challenge of id 0 to 192.168.0.1 port 1030
> Framed-Protocol := PPP
> Service-Type := Framed-User
> Framed-MTU := 1500
> Framed-Compression := Van-Jacobson-TCP-IP
> EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x149370a5228b3ae0acdd9dc3fb4a25a4
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1,
> length=206
> Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb
> Service-Type = Framed-User
> User-Name = "testuser"
> Framed-MTU = 1488
> State = 0x149370a5228b3ae0acdd9dc3fb4a25a4
> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM"
> Calling-Station-Id = "00-1B-77-28-B3-CF"
> NAS-Identifier = "D-Link Access Point"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 54Mbps 802.11a"
> EAP-Message = 0x020100060319
> NAS-IP-Address = 192.168.0.1
> NAS-Port = 1
> NAS-Port-Id = "STA port # 1"
> rad_lowerpair: User-Name now 'testuser'
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 1
> rlm_eap: EAP packet type response id 1 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> radius_xlat: 'testuser'
> rlm_sql (sql): sql_set_user escaped user --> 'testuser'
> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
> FROM radcheck WHERE Username = 'testuser' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 3
> radius_xlat: 'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
> FROM radreply WHERE Username = 'testuser' ORDER BY id'
> radius_xlat: 'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql (sql): Released sql socket id: 3
> modcall[authorize]: module "sql" returns ok for request 1
> rlm_pap: Found existing Auth-Type, not changing it.
> modcall[authorize]: module "pap" returns noop for request 1
> modcall: leaving group authorize (returns updated) for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP NAK
> rlm_eap: EAP-NAK asked for EAP-Type/peap
> rlm_eap: No such EAP type peap
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid for request 1
> modcall: leaving group authenticate (returns invalid) for request 1
> auth: Failed to validate the user.
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1,
> length=206
> Sending Access-Reject of id 1 to 192.168.0.1 port 1030
> EAP-Message = 0x04010004
> Message-Authenticator = 0x00000000000000000000000000000000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071030/f9529e73/attachment.html>
More information about the Freeradius-Users
mailing list