What does a good example look like

John Dennis jdennis at redhat.com
Fri May 7 01:13:10 CEST 2010


On 05/06/2010 06:29 PM, Huckle Berry wrote:
> Hello again,
> I have a few questions that may or may not be related to each other.
> First, I know radtest works fine for testing the basic functions of
> freeradius (i.e. it will authenticate with no encryption) but I would
> like to know if radtest can be used to test authentication using one of
> the various types of encryptions and protocols.

No. You'll probably also need eapol_test 
(http://deployingradius.com/scripts/eapol_test). I'm not sure how much 
coverage epol_test gives or if there are better test clients, Alan might 
know.

> Question two has to do with said protocols. Is there a clear and concise
> page that will define all of the protocols (PEAP, EAP, TLS, TTLS,
> MSCHAP, MSCHAPv2, LEAP, WPA(1/2)-PSK, etc) how they differ from each
> other and what exactly happens during the authentication process.
> Illustrations would be nice.

Not that I'm aware of. I've often thought it would be a nice thing to 
do. If I ever have free time I might, but considering I never have free 
time, oh well ...

You might want to consult:

http://deployingradius.com/documents/protocols/compatibility.html
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

for starters

> Question three: I have come to conclude that some protocols are the same
> thing with different names, can anyone clarify which protocols are the
> same or are at least compatible, and which are different?

There are no redundant overlaps that I'm aware of. It would be kind of 
pointless. What is true is some protocols encapsulate others, e.g. they 
"wrap" them, although after unwrapping the mechanism is the same, at the 
top level the protocol is different.

> Lastly, what does a successful authentication look like for each type of
> protocol. What should I be looking for in my freeradius output, and what
> can I compare it too. Possibly if I saw where stuff was going haywire I
> could determine for myself what the issue is.

seeing Access-Accept sent from the server in the debug output.

While debugging you might want to try Alan's most excellent public 
debugging tool for radius debug output whose link I'm sorry to say I've 
misplaced :-(



-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Users mailing list