I managed to get it working, the machine here running freeradius has 2 ip addresses. I had noticed in another message on the list, that can be problematic. I set freeradius to bind to a specific IP and it light right up, go figure heh. I do appreciate the respone though. I spent a good 5 1/2 hours before posting to this list I am kind of embaressed to find out it was a simple IP address problem, sorry for the bogus posting.
<br><br>
<div><span class="gmail_quote">On 8/31/05, <b class="gmail_sendername">Artur Hecker</b> <<a href="mailto:hecker@enst.fr">hecker@enst.fr</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">hi<br><br><br>J Zakhar wrote:<br>> Having some trouble setting up PEAP with a windows XP workstation, a
<br>> Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP<br>> Client to set things up. Many moons ago I had LEAP working great, the<br>> hard drive on this linux machine failed and it was time to reinstall.
<br>> Not sure why i'm having such trouble with this.<br>><br>> Mousing over the icon in my task bar Status: Validating Identity is all<br>> it ever says while trying to associate. I do however get prompted for my
<br>> user name and password. Any advice/help would be much appreciated.<br><br>unfortunately, imho Windows XP prompts for those before it starts the<br>exchanges.<br><br>from your log it seems that there is no error on the Freeradius side. FR
<br>sends out the Challenge, but the second message from the client (id =<br>36) looks to me as a repeat of the original Request (id 35). the<br>contents of the EAP-Message are the same.<br><br>thus it seems that your Windows client is not answering the challenge.
<br>Or the access point does not relay the challenge to the Windows client.<br><br>difficult to say more from what you've given so far. you could try the<br>following:<br><br>- are you sure that you posted the complete log?
<br><br>- if yes, deactivate Server Validation in the Windows XP PEAP client<br>(only for testing, activate it later) and re-start. see if the<br>authentication gets to a further point.<br><br>- if that does not change anything, take a look at the Ken Rosner's TLS
<br>FAQ (see <a href="http://www.freeradius.org">www.freeradius.org</a>). he describes how you activate EAP debug on<br>Cisco 350 APs. log in into your cisco, activate the EAP Debug level 2<br>and see what happens - if it relays messages to the user machine.
<br><br><br><br>ciao<br>artur<br><br><br>><br>> ./radiusd -A -X<br>> Starting - reading configuration files ...<br>> reread_config: reading radiusd.conf<br>> Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf
<br>> Config: including file: /usr/local/freeradius/etc/raddb/clients.conf<br>> Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf<br>> Config: including file: /usr/local/freeradius/etc/raddb/eap.conf
<br>> Config: including file: /usr/local/freeradius/etc/raddb/sql.conf<br>> main: prefix = "/usr/local/freeradius"<br>> main: localstatedir = "/usr/local/freeradius/var"<br>> main: logdir = "/usr/local/freeradius/var/log/radius"
<br>> main: libdir = "/usr/local/freeradius/lib"<br>> main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"<br>> main: hostname_lookups = no<br>> main: max_request_time = 30
<br>> main: cleanup_delay = 5<br>> main: max_requests = 1024<br>> main: delete_blocked_requests = 0<br>> main: port = 0<br>> main: allow_core_dumps = no<br>> main: log_stripped_names = no<br>> main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
<br>> main: log_auth = no<br>> main: log_auth_badpass = no<br>> main: log_auth_goodpass = no<br>> main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"<br>> main: user = "(null)"
<br>> main: group = "(null)"<br>> main: usercollide = no<br>> main: lower_user = "no"<br>> main: lower_pass = "no"<br>> main: nospace_user = "no"<br>> main: nospace_pass = "no"
<br>> main: checkrad = "/usr/local/freeradius/sbin/checkrad"<br>> main: proxy_requests = yes<br>> proxy: retry_delay = 5<br>> proxy: retry_count = 3<br>> proxy: synchronous = no<br>> proxy: default_fallback = yes
<br>> proxy: dead_time = 120<br>> proxy: post_proxy_authorize = yes<br>> proxy: wake_all_if_all_dead = no<br>> security: max_attributes = 200<br>> security: reject_delay = 1<br>> security: status_server = no
<br>> main: debug_level = 0<br>> read_config_files: reading dictionary<br>> read_config_files: reading naslist<br>> Using deprecated naslist file. Support for this will go away soon.<br>> read_config_files: reading clients
<br>> read_config_files: reading realms<br>> radiusd: entering modules setup<br>> Module: Library search path is /usr/local/freeradius/lib<br>> Module: Loaded exec<br>> exec: wait = yes<br>> exec: program = "(null)"
<br>> exec: input_pairs = "request"<br>> exec: output_pairs = "(null)"<br>> exec: packet_type = "(null)"<br>> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
<br>> Module: Instantiated exec (exec)<br>> Module: Loaded expr<br>> Module: Instantiated expr (expr)<br>> Module: Loaded PAP<br>> pap: encryption_scheme = "crypt"<br>> Module: Instantiated pap (pap)
<br>> Module: Loaded CHAP<br>> Module: Instantiated chap (chap)<br>> Module: Loaded MS-CHAP<br>> mschap: use_mppe = yes<br>> mschap: require_encryption = yes<br>> mschap: require_strong = yes<br>> mschap: with_ntdomain_hack = no
<br>> mschap: passwd = "(null)"<br>> mschap: authtype = "MS-CHAP"<br>> mschap: ntlm_auth = "(null)"<br>> Module: Instantiated mschap (mschap)<br>> Module: Loaded System<br>> unix: cache = no
<br>> unix: passwd = "(null)"<br>> unix: shadow = "(null)"<br>> unix: group = "(null)"<br>> unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"<br>> unix: usegroup = no
<br>> unix: cache_reload = 600<br>> Module: Instantiated unix (unix)<br>> Module: Loaded eap<br>> eap: default_eap_type = "peap"<br>> eap: timer_expire = 60<br>> eap: ignore_unknown_eap_types = no
<br>> eap: cisco_accounting_username_bug = yes<br>> rlm_eap: Loaded and initialized type md5<br>> rlm_eap: Loaded and initialized type leap<br>> gtc: challenge = "Password: "<br>> gtc: auth_type = "PAP"
<br>> rlm_eap: Loaded and initialized type gtc<br>> tls: rsa_key_exchange = no<br>> tls: dh_key_exchange = yes<br>> tls: rsa_key_length = 512<br>> tls: dh_key_length = 512<br>> tls: verify_depth = 0
<br>> tls: CA_path = "(null)"<br>> tls: pem_file_type = yes<br>> tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert-<br>> srv.pem"<br>> tls: certificate_file =<br>> "/usr/local/freeradius/etc/raddb/certs/cert-
srv.pem"<br>> tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem"<br>> tls: private_key_password = "whatever"<br>> tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
<br>> tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"<br>> tls: fragment_size = 1024<br>> tls: include_length = yes<br>> tls: check_crl = no<br>> tls: check_cert_cn = "(null)"
<br>> rlm_eap: Loaded and initialized type tls<br>> peap: default_eap_type = "mschapv2"<br>> peap: copy_request_to_tunnel = no<br>> peap: use_tunneled_reply = no<br>> peap: proxy_tunneled_request_as_eap = yes
<br>> rlm_eap: Loaded and initialized type peap<br>> mschapv2: with_ntdomain_hack = no<br>> rlm_eap: Loaded and initialized type mschapv2<br>> Module: Instantiated eap (eap)<br>> Module: Loaded preprocess<br>
> preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"<br>> preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"<br>> preprocess: with_ascend_hack = no<br>> preprocess: ascend_channels_per_line = 23
<br>> preprocess: with_ntdomain_hack = no<br>> preprocess: with_specialix_jetstream_hack = no<br>> preprocess: with_cisco_vsa_hack = no<br>> Module: Instantiated preprocess (preprocess)<br>> Module: Loaded realm
<br>> realm: format = "suffix"<br>> realm: delimiter = "@"<br>> realm: ignore_default = no<br>> realm: ignore_null = no<br>> Module: Instantiated realm (suffix)<br>> Module: Loaded files
<br>> files: usersfile = "/usr/local/freeradius/etc/raddb/users"<br>> files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"<br>> files: preproxy_usersfile =<br>> "/usr/local/freeradius/etc/raddb/preproxy_users"
<br>> files: compat = "no"<br>> Module: Instantiated files (files)<br>> Module: Loaded Acct-Unique-Session-Id<br>> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,<br>> Client-IP-Address, NAS-Port"
<br>> Module: Instantiated acct_unique (acct_unique)<br>> Module: Loaded detail<br>> detail: detailfile =<br>> "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>> detail: detailperm = 384
<br>> detail: dirperm = 493<br>> detail: locking = no<br>> Module: Instantiated detail (detail)<br>> Module: Loaded radutmp<br>> radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
<br>> radutmp: username = "%{User-Name}"<br>> radutmp: case_sensitive = yes<br>> radutmp: check_with_nas = yes<br>> radutmp: perm = 384<br>> radutmp: callerid = yes<br>> Module: Instantiated radutmp (radutmp)
<br>> Listening on authentication *:1812<br>> Listening on accounting *:1813<br>> Listening on proxy *:1814<br>> Ready to process requests.<br>> rad_recv: Access-Request packet from host <a href="http://172.28.42.253:21646">
172.28.42.253:21646</a><br>> <<a href="http://172.28.42.253:21646/">http://172.28.42.253:21646/</a>>, id=35, length=132<br>> User-Name = "jzakhar"<br>> Framed-MTU = 1400<br>> Called-Station-Id = "
0040.9647.f2d6"<br>> Calling-Station-Id = "000e.9b2e.179a"<br>> Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7<br>> EAP-Message = 0x0202000c016a7a616b686172<br>> NAS-Port-Type =
Wireless-802.11<br>> NAS-Port = 312<br>> Service-Type = Framed-User<br>> NAS-IP-Address = <a href="http://172.28.42.253">172.28.42.253</a> <<a href="http://172.28.42.253/">http://172.28.42.253/
</a>><br>> NAS-Identifier = "apcisco"<br>> Processing the authorize section of radiusd.conf<br>> modcall: entering group authorize for request 0<br>> modcall[authorize]: module "preprocess" returns ok for request 0
<br>> modcall[authorize]: module "chap" returns noop for request 0<br>> modcall[authorize]: module "mschap" returns noop for request 0<br>> rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
<br>> realm NULL<br>> rlm_realm: No such realm "NULL"<br>> modcall[authorize]: module "suffix" returns noop for request 0<br>> rlm_eap: EAP packet type response id 2 length 12<br>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
<br>> modcall[authorize]: module "eap" returns updated for request 0<br>> users: Matched jzakhar at 53<br>> modcall[authorize]: module "files" returns ok for request 0<br>> modcall: group authorize returns updated for request 0
<br>> rad_check_password: Found Auth-Type EAP<br>> auth: type "EAP"<br>> Processing the authenticate section of radiusd.conf<br>> modcall: entering group authenticate for request 0<br>> rlm_eap: EAP Identity
<br>> rlm_eap: processing type tls<br>> rlm_eap_tls: Initiate<br>> rlm_eap_tls: Start returned 1<br>> modcall[authenticate]: module "eap" returns handled for request 0<br>> modcall: group authenticate returns handled for request 0
<br>> Sending Access-Challenge of id 35 to <a href="http://172.28.42.253:21646">172.28.42.253:21646</a><br>> <<a href="http://172.28.42.253:21646/">http://172.28.42.253:21646/</a>><br>> EAP-Message = 0x010300061920
<br>> Message-Authenticator = 0x00000000000000000000000000000000<br>> State = 0xf730c83b331f347cf002f96adbba538e<br>> Finished request 0<br>> Going to the next request<br>> --- Walking the entire request list ---
<br>> Waking up in 6 seconds...<br>> rad_recv: Access-Request packet from host <a href="http://172.28.42.253:21646">172.28.42.253:21646</a><br>> <<a href="http://172.28.42.253:21646/">http://172.28.42.253:21646/
</a>>, id=35, length=132<br>> Sending duplicate reply to client EAP:21646 - ID: 35<br>> Re-sending Access-Challenge of id 35 to <a href="http://172.28.42.253:21646">172.28.42.253:21646</a><br>> <<a href="http://172.28.42.253:21646/">
http://172.28.42.253:21646/</a>><br>> --- Walking the entire request list ---<br>> Waking up in 1 seconds...<br>> --- Walking the entire request list ---<br>> Cleaning up request 0 ID 35 with timestamp 4315dbd4
<br>> Nothing to do. Sleeping until we see a request.<br>> rad_recv: Access-Request packet from host <a href="http://172.28.42.253:21646">172.28.42.253:21646</a><br>> <<a href="http://172.28.42.253:21646/">http://172.28.42.253:21646/
</a>>, id=36, length=132<br>> User-Name = "jzakhar"<br>> Framed-MTU = 1400<br>> Called-Station-Id = "0040.9647.f2d6"<br>> Calling-Station-Id = "000e.9b2e.179a
"<br>> Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6<br>> EAP-Message = 0x0202000c016a7a616b686172<br>> NAS-Port-Type = Wireless-802.11<br>> NAS-Port = 313<br>
> Service-Type = Framed-User<br>> NAS-IP-Address = <a href="http://172.28.42.253">172.28.42.253</a> <<a href="http://172.28.42.253/">http://172.28.42.253/</a>><br>> NAS-Identifier = "apcisco"
<br>> Processing the authorize section of radiusd.conf<br>> modcall: entering group authorize for request 1<br>> modcall[authorize]: module "preprocess" returns ok for request 1<br>> modcall[authorize]: module "chap" returns noop for request 1
<br>> modcall[authorize]: module "mschap" returns noop for request 1<br>> rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up<br>> realm NULL<br>> rlm_realm: No such realm "NULL"
<br>> modcall[authorize]: module "suffix" returns noop for request 1<br>> rlm_eap: EAP packet type response id 2 length 12<br>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
> modcall[authorize]: module "eap" returns updated for request 1<br>> users: Matched jzakhar at 53<br>> modcall[authorize]: module "files" returns ok for request 1<br>> modcall: group authorize returns updated for request 1
<br>> rad_check_password: Found Auth-Type EAP<br>> auth: type "EAP"<br>> Processing the authenticate section of radiusd.conf<br>> modcall: entering group authenticate for request 1<br>> rlm_eap: EAP Identity
<br>> rlm_eap: processing type tls<br>> rlm_eap_tls: Initiate<br>> rlm_eap_tls: Start returned 1<br>> modcall[authenticate]: module "eap" returns handled for request 1<br>> modcall: group authenticate returns handled for request 1
<br>> Sending Access-Challenge of id 36 to <a href="http://172.28.42.253:21646">172.28.42.253:21646</a><br>> <<a href="http://172.28.42.253:21646/">http://172.28.42.253:21646/</a>><br>> EAP-Message = 0x010300061920
<br>> Message-Authenticator = 0x00000000000000000000000000000000<br>> State = 0x479ac19253ee20dc4d21810846227fc5<br>> Finished request 1<br>> Going to the next request<br>> --- Walking the entire request list ---
<br>> Waking up in 6 seconds...<br>><br>><br>><br>> ------------------------------------------------------------------------<br>><br>> -<br>> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">
http://www.freeradius.org/list/users.html</a><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>