Basic usage: What do I do next to get this to work?
tnt at kalik.co.yu
tnt at kalik.co.yu
Tue Oct 30 20:10:15 CET 2007
You haven't configured PEAP in eap.conf. You need to configure tls and
peap sections. You will also need a server certificate and to export
root certificate to XP clients (if you are signing them yourself). Read
instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD
integration before doing anything.
Ivan Kalik
Kalik Informatika ISP
Dana 30/10/2007, "Doc. Caliban" <doc.caliban at gmail.com> piše:
>Hello,
>
>I hate to ask this, but I'm running out of time on this project and I'm
>completely new to RADIUS. I would be really happy if someone could just
>point me to a detailed HOW TO for what I need.
>
>I have freeRADIUS set up with an external MySQL user database and it's
>successfully authorizing requests from NTRadPing.
>
>Now I need to actually try it out "In the field". I need people running
>XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL
>database that I have set up.
>
>So far I'm not having any luck, and I don't mind saying that I'm a
>little over my head at this point. Someone familiar with this will
>probably see glaring problems.
>
>I will provide all the details I can think of, but please let me know if
>you need more.
>
>Server:
>FreeRADIUS 1.1.7 with MySQL module.
>
>Database:
>Remote MySQL
>
>Access Point:
>D-Link DWL-7100AP (Ciscos coming in January)
>WPA-EAP
>TKIP
>
>Client Laptop:
>WPA Enterprise
>TKIP
>PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST)
>MS-CHAP-V2 (Other options: GTC, TLS)
>
>
>
>
>
>
>I set up an AP to use RADIUS, and the requests get through to the RADIUS
>server, but they always fail. Posted below is the debug output from the
>failed attempt.
>
>
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0,
>> length=193
>> Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0
>> Service-Type = Framed-User
>> User-Name = "testuser"
>> Framed-MTU = 1488
>> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM"
>> Calling-Station-Id = "00-1B-77-28-B3-CF"
>> NAS-Identifier = "D-Link Access Point"
>> NAS-Port-Type = Wireless-802.11
>> Connect-Info = "CONNECT 54Mbps 802.11a"
>> EAP-Message = 0x0200000b01746261727468
>> NAS-IP-Address = 192.168.0.1
>> NAS-Port = 1
>> NAS-Port-Id = "STA port # 1"
>> rad_lowerpair: User-Name now 'testuser'
>> Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 0
>> modcall[authorize]: module "preprocess" returns ok for request 0
>> modcall[authorize]: module "chap" returns noop for request 0
>> modcall[authorize]: module "mschap" returns noop for request 0
>> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>> rlm_realm: No such realm "NULL"
>> modcall[authorize]: module "suffix" returns noop for request 0
>> rlm_eap: EAP packet type response id 0 length 11
>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>> modcall[authorize]: module "eap" returns updated for request 0
>> radius_xlat: 'testuser'
>> rlm_sql (sql): sql_set_user escaped user --> 'testuser'
>> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
>> FROM radcheck WHERE Username = 'testuser' ORDER BY id'
>> rlm_sql (sql): Reserving sql socket id: 4
>> radius_xlat: 'SELECT
>> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
>> FROM radreply WHERE Username = 'testuser' ORDER BY id'
>> radius_xlat: 'SELECT
>> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
>> rlm_sql (sql): Released sql socket id: 4
>> modcall[authorize]: module "sql" returns ok for request 0
>> rlm_pap: Found existing Auth-Type, not changing it.
>> modcall[authorize]: module "pap" returns noop for request 0
>> modcall: leaving group authorize (returns updated) for request 0
>> rad_check_password: Found Auth-Type EAP
>> auth: type "EAP"
>> Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 0
>> rlm_eap: EAP Identity
>> rlm_eap: processing type md5
>> rlm_eap_md5: Issuing Challenge
>> modcall[authenticate]: module "eap" returns handled for request 0
>> modcall: leaving group authenticate (returns handled) for request 0
>> Sending Access-Challenge of id 0 to 192.168.0.1 port 1030
>> Framed-Protocol := PPP
>> Service-Type := Framed-User
>> Framed-MTU := 1500
>> Framed-Compression := Van-Jacobson-TCP-IP
>> EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385
>> Message-Authenticator = 0x00000000000000000000000000000000
>> State = 0x149370a5228b3ae0acdd9dc3fb4a25a4
>> Finished request 0
>> Going to the next request
>> --- Walking the entire request list ---
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1,
>> length=206
>> Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb
>> Service-Type = Framed-User
>> User-Name = "testuser"
>> Framed-MTU = 1488
>> State = 0x149370a5228b3ae0acdd9dc3fb4a25a4
>> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM"
>> Calling-Station-Id = "00-1B-77-28-B3-CF"
>> NAS-Identifier = "D-Link Access Point"
>> NAS-Port-Type = Wireless-802.11
>> Connect-Info = "CONNECT 54Mbps 802.11a"
>> EAP-Message = 0x020100060319
>> NAS-IP-Address = 192.168.0.1
>> NAS-Port = 1
>> NAS-Port-Id = "STA port # 1"
>> rad_lowerpair: User-Name now 'testuser'
>> Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 1
>> modcall[authorize]: module "preprocess" returns ok for request 1
>> modcall[authorize]: module "chap" returns noop for request 1
>> modcall[authorize]: module "mschap" returns noop for request 1
>> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>> rlm_realm: No such realm "NULL"
>> modcall[authorize]: module "suffix" returns noop for request 1
>> rlm_eap: EAP packet type response id 1 length 6
>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>> modcall[authorize]: module "eap" returns updated for request 1
>> radius_xlat: 'testuser'
>> rlm_sql (sql): sql_set_user escaped user --> 'testuser'
>> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
>> FROM radcheck WHERE Username = 'testuser' ORDER BY id'
>> rlm_sql (sql): Reserving sql socket id: 3
>> radius_xlat: 'SELECT
>> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>> radius_xlat: 'SELECT id, UserName, Attribute, Value, op
>> FROM radreply WHERE Username = 'testuser' ORDER BY id'
>> radius_xlat: 'SELECT
>> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
>> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
>> rlm_sql (sql): Released sql socket id: 3
>> modcall[authorize]: module "sql" returns ok for request 1
>> rlm_pap: Found existing Auth-Type, not changing it.
>> modcall[authorize]: module "pap" returns noop for request 1
>> modcall: leaving group authorize (returns updated) for request 1
>> rad_check_password: Found Auth-Type EAP
>> auth: type "EAP"
>> Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 1
>> rlm_eap: Request found, released from the list
>> rlm_eap: EAP NAK
>> rlm_eap: EAP-NAK asked for EAP-Type/peap
>> rlm_eap: No such EAP type peap
>> rlm_eap: Failed in EAP select
>> modcall[authenticate]: module "eap" returns invalid for request 1
>> modcall: leaving group authenticate (returns invalid) for request 1
>> auth: Failed to validate the user.
>> Delaying request 1 for 1 seconds
>> Finished request 1
>> Going to the next request
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1,
>> length=206
>> Sending Access-Reject of id 1 to 192.168.0.1 port 1030
>> EAP-Message = 0x04010004
>> Message-Authenticator = 0x00000000000000000000000000000000
>
>
>
More information about the Freeradius-Users
mailing list