freeRADIUS and WPA-2 Enterprise

William E. Russell wrussell at incnetworks.com
Sat May 17 00:20:28 CEST 2008 

All,

We are trying to setup WPA2 Enterprise authentication to work with the
FreeRadius server. We have configured EAP-PEAP authentication. We have
installed all the certificates and corrected the EAP.conf certificate paths.
We tried to connect from the supplicant from Windows XP. Windows asked for
the login/password and this is the output of the radiusd -X. The user is
configured in the users file. We couldn't see any error, however the
authentication didn't succeed.

Can anyone help?

----------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
        User-Name = "Sushil"
        NAS-IP-Address = 172.27.10.54
        Called-Station-Id = "001d7ef3e8d2"
        Calling-Station-Id = "0019d24ee9a8"
        NAS-Identifier = "001d7ef3e8d2"
        NAS-Port = 15
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0202000b0153757368696c
        Message-Authenticator = 0x8ee1244bc3cdc5889f20f495cfb28373
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "Sushil", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry Sushil at line 126
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe5e45815e5e741bebb28e527c6b37a8d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +35
Ready to process requests.
        User-Name = "Sushil"
        NAS-IP-Address = 172.27.10.54
        Called-Station-Id = "001d7ef3e8d2"
        Calling-Station-Id = "0019d24ee9a8"
        NAS-Identifier = "001d7ef3e8d2"
        NAS-Port = 15
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000b0153757368696c
        Message-Authenticator = 0xc7c1127b55267c9b175f4af387037759
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "Sushil", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 0 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry Sushil at line 126
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xabace459abadfd4a371c1e7c34cafda3
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 1 with timestamp +144
Ready to process requests.

William E. W. Russell
Member of Technical Staff (Software Development)
198 Brighton Avenue
Long Branch, New Jersey 07740
Home #: 732-752-2037
Cell #: 732-744-6483

-----Original Message-----
From: freeradius-users-bounces+wrussell=incnetworks.com at lists.freeradius.org
[mailto:freeradius-users-bounces+wrussell=incnetworks.com at lists.freeradius.o
rg] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Wednesday, May 14, 2008 2:11 PM
To: FreeRadius users mailing list
Subject: Re: freeRADIUS and WPA-2 Enterprise

Hi,
> All,
> 
> I have recently set up a freeRADIUS v2 server and would like some help
> configuring the server to use WPA-2 Enterprise. I was wondering if anyone
> had any tutorials, .conf files, etc. that would assist me in setting up my
> server with the correct configuration. I have noticed some help on the
> Internet, but most of the help is directed towards freeRADIUS v1, so I
need
> v2-specfic help. Thanks.

a lot of the things regarding authorization, authentication,
SQL and LDAP is true for v2 as it is for v1

when you say 'set up a freeradius v2 server' what have you done?
ouyt of the box as a straight install, FR2 is ready to handle
WPA2-enterprise.  all you need to do is install your own certs,
or make the default ones longer lasting and suitable for you (by
editing the server.cnf and client.cnf stuff and rerunning the
bootstrap), then add NAS devices to clients.conf and ensure
that the authentication you want to use is configured correctly.

whatever you do, dont madly hack and edit down the default config files!

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list