unable to authenticate
David Trinh
dtrinh at omnexcontrols.com
Fri May 23 01:04:52 CEST 2008
I would like to test the security feature 802.1x EAP-TLS of our product.
I set up FreeRadius and used the demo certificates. However, the server
keeps rejecting access.
I noticed that the server complains about <no User Password attribute>,
but the wireless device (supplicant) does not have a place for me to
enter the password, only the login. So how to I configure FreeRadius to
ignore the password attribute? Please help.
I have included the debug log and the user.conf file.
Here is the log when run in debug mode:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.254.26:1026, id=4,
length=208
Message-Authenticator = 0x9075ab275b5d9dca389e8646e992305e
Service-Type = Framed-User
User-Name = "FreeRADIUS.net-Client"
Framed-MTU = 1488
Called-Station-Id = "00-0B-6B-85-C3-68:radius"
Calling-Station-Id = "00-0B-6B-84-44-C7"
NAS-Identifier = "TEst"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0204001a01467265655241444955532e6e65742d436c69656e74
NAS-IP-Address = 192.168.254.26
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.log'
rlm_detail:
../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log
expands to
../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.
log
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "FreeRADIUS.net-Client", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 4 length 26
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry FreeRADIUS.net-Client at line 95
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 4 to 192.168.254.26 port 1026
EAP-Message = 0x010500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81d7452a456ad519df0020eba90a201b
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.254.26:1026, id=5,
length=206
Message-Authenticator = 0xb6900d65edf9c188d8eb45a273d4ceb0
Service-Type = Framed-User
User-Name = "FreeRADIUS.net-Client"
Framed-MTU = 1488
State = 0x81d7452a456ad519df0020eba90a201b
Called-Station-Id = "00-0B-6B-85-C3-68:radius"
Calling-Station-Id = "00-0B-6B-84-44-C7"
NAS-Identifier = "TEst"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500060300
NAS-IP-Address = 192.168.254.26
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.log'
rlm_detail:
../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log
expands to
../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.
log
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "FreeRADIUS.net-Client", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry FreeRADIUS.net-Client at line 95
modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for bad type 0
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: leaving group authenticate (returns invalid) for request 1
auth: Failed to validate the user.
Login incorrect: [FreeRADIUS.net-Client/<no User-Password attribute>]
(from client radius port 1 cli 00-0B-6B-84-44-C7)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.254.26:1026, id=5,
length=206
Sending Access-Reject of id 5 to 192.168.254.26 port 1026
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
##########This is the user.conf#################
....
############# RFC3580 ################
## Also the "eap.conf" MUST be modified to include the follow line:
## "use_tunneled_reply = yes"
## the default is "use_tunneled_reply = no"
## this allow the "Tunnel*" AV's to be passed outside the eap tunnel
## otherwise the switch will NOT see the VLAN to place the port into
#### Comments added by Jeff Reilly ####
testuser User-Password == "testpw"
#FreeRADIUS.net-Client User-Password == "demo"
rfc3580 User-Password == "demo"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "1",
Reply-Message = "Hello, %u"
FreeRADIUS.net-Client Auth-Type := EAP
#
# This is a complete entry for "steve". Note that there is no
Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Auth-Type := Local, User-Password == "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Auth-Type := Local, User-Password == "hello"
# Reply-Message = "Hello, %u"
#
# Dial user back and telnet to the default host for that port
#
#Deg Auth-Type := Local, User-Password == "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Auth-Type := Local, User-Password == "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups
file).
#
# Note that by setting "Fall-Through", other attributes will be added
from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name ==
"alphen"
# Framed-IP-Address = 192.168.1.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# against the system database, give them shell access, and stop
processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell", Auth-Type := System
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = System
Fall-Through = 1
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.32+,
# Fall-Through = Yes
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
# Framed-IP-Address = 192.168.2.32+,
# Fall-Through = Yes
#
# Defaults for all framed connections.
#
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = No
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be
auto-detected
# by the terminal server in which case there may not be a "P"
suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto
PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Shell-User
# On no match, the user is denied access.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080522/e2ab9a90/attachment.html>
More information about the Freeradius-Users
mailing list