thx 4 openSSL & one more question

ds14.kornel ds14.kornel at gmail.com
Wed May 5 16:15:00 CEST 2010


Hi
Thanks for last advices with freeradius installations + peap on debian lenny
Now i have no problem with enabling peap :)

this time I'm asking for help with some other problem:
I'm trying to enable WPA2 enterprice authentication on my accesspoints.
When trying to auth my wireless client I'm getting sth like this in log :

Wed May  5 15:09:25 2010 : Auth: Login incorrect: [karol/<no 
User-Password attribute>] (from client AP1 port 0 cli 0022431380c4)
where :
0022431380c4 is my wireless mac adress (laptop)
client AP1 is my Access Point client from clients.conf
karol - is my user from users.conf

it looks like freeradius don't want to look inside the password field 
and can't recognize a laptop ip (getting mac)

Please give me some advices - what's next ?

Here is my debug.


Kill-9:/home/kornel# freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  3 
2010 at 15:51:52
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
main {
     user = "freerad"
     group = "freerad"
     allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
     prefix = "/usr"
     localstatedir = "/var"
     logdir = "/var/log/freeradius"
     libdir = "/usr/lib/freeradius"
     radacctdir = "/var/log/freeradius/radacct"
     hostname_lookups = no
     max_request_time = 30
     cleanup_delay = 5
     max_requests = 1024
     pidfile = "/var/run/freeradius/freeradius.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
     stripped_names = yes
     auth = yes
     auth_badpass = yes
     auth_goodpass = yes
  }
  security {
     max_attributes = 200
     reject_delay = 1
     status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
     retry_delay = 5
     retry_count = 3
     default_fallback = yes
     dead_time = 120
     wake_all_if_all_dead = no
  }
radiusd: #### Loading Clients ####
  client localhost {
     ipaddr = 127.0.0.1
     require_message_authenticator = no
     secret = "testing123"
     nastype = "other"
  }
* client 172.16.0.16 {                ----------------------Client ip 
adress*
     require_message_authenticator = no
     secret = "tajne1234"
     shortname = "eee"
  }
* client 192.168.10.50 {            ----------------------AP ip adress*
     require_message_authenticator = no
     secret = "tajne1234"
     shortname = "AP1"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating exec
   exec {
     wait = yes
     input_pairs = "request"
     shell_escape = yes
   }
  Module: Linked to module rlm_expr
  Module: Instantiating expr
  Module: Linked to module rlm_expiration
  Module: Instantiating expiration
   expiration {
     reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating logintime
   logintime {
     reply-message = "You are calling outside your allowed timespan  "
     minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server {
  modules {
  } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
     type = "auth"
     ipaddr = *
     port = 1812
}
listen {
     type = "acct"
     ipaddr = *
     port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

*AND here is an authenticate attempt debug*

rad_recv: Access-Request packet from host 192.168.10.50 port 2054, 
id=148, length=169
     User-Name = "karol"
*    NAS-IP-Address = 192.168.10.50             ----------------------AP 
ip adress*
     NAS-Port = 0
*    Called-Station-Id = "00265abab28d"        ----------------------AP 
mac adress
     Calling-Station-Id = "0022431380c4"       
----------------------Client mac adress*
     NAS-Identifier = "Realtek Access Point. 8186"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Service-Type = Framed-User
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 0x0200000b016d617263696e
     Message-Authenticator = 0x2ea50a302a451ed3b32b748a23fe00e3
   WARNING: Empty section.  Using default return values.
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Login incorrect: [karol/<no User-Password attribute>] (from client AP1 
port 0 cli 0022431380c4)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 148 to 192.168.10.50 port 2054
Waking up in 4.9 seconds.


Client's system is eeebuntu and i'm sure that's on client and on AP 
everything is ok because when i'm connecting to another freeradius 
server - it's working fine (unfortunatelly i don't have an acces to 
those confs) in addition - temporarily I accepted all connections from 
those two ip's on my firewall to have 100% sure that's not a connection 
issue.

Thank you for your time and knowledge share.

-- 
LAN Administrator of DS14
Kornel Kornatka
room 529


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100505/f09c416e/attachment.html>


More information about the Freeradius-Users mailing list