<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Dear All,<br>
<br>
I've been trying to autheticate a Wireless Acess Point through a Radius
Server for last 1 month, but things doesn't seem to be working for me.
The Radius Server is authenticating when I test it with the radtest
command. It also worked for a Cisco 2950 switch. But no luck when I use
the Access Point. I have tried 3 different accesspoints, including
Linksys, D-Link and the Firepro, but none of them worked. <br>
<br>
I do not get any error when I check the radius in debug mode. It says
"Sending Access-Challange to ....", but the client doesn't get
authenticated. I seriously need help on this. <br>
<br>
1. Do I really need certificates for authentication? Is there a way to
achieve WPA with UserName and Password, without installing certificates?<br>
2. Should the AP send "User-Password" attribute to the Radius Server?
Or should the Radius Server send an Access-Challange to the AP, and AP
does matching and all.<br>
<br>
<br>
Can somebody help me with a working solution of freeradius with AP? <br>
Following are the configurations files and the output I am getting
while testing. <br>
<br>
Would appreciate quick response from someone.<br>
<br>
Thanks and Regards,<br>
SaN<br>
<br>
<u><i><b>Radius Version 1.1.7</b></i></u><br>
<br>
************<br>
<i><u><b>radiusd.conf</b></u></i><br>
************<br>
<br>
checkrad = ${sbindir}/checkrad<br>
security {<br>
max_attributes = 200<br>
reject_delay = 1<br>
status_server = no<br>
}<br>
<br>
proxy_requests = yes<br>
$INCLUDE ${confdir}/proxy.conf<br>
$INCLUDE ${confdir}/clients.conf<br>
snmp = no<br>
$INCLUDE ${confdir}/snmp.conf<br>
modules {<br>
pap {<br>
auto_header = yes<br>
}<br>
chap {<br>
authtype = CHAP<br>
}<br>
pam {<br>
pam_auth = radiusd<br>
}<br>
<br>
unix {<br>
cache = no<br>
cache_reload = 600<br>
radwtmp = ${logdir}/radwtmp<br>
}<br>
<br>
$INCLUDE ${confdir}/eap.conf<br>
mschap {<br>
}<br>
<br>
realm IPASS {<br>
format = prefix<br>
delimiter = "/"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
<br>
realm suffix {<br>
format = suffix<br>
delimiter = "@"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
<br>
realm realmpercent {<br>
format = suffix<br>
delimiter = "%"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
<br>
realm ntdomain {<br>
format = prefix<br>
delimiter = "\\"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
<br>
checkval {<br>
item-name = Calling-Station-Id<br>
check-name = Calling-Station-Id<br>
data-type = string<br>
}<br>
<br>
authorize {<br>
preprocess<br>
chap<br>
mschap<br>
suffix<br>
files<br>
}<br>
authenticate {<br>
Auth-Type PAP {<br>
pap<br>
}<br>
<br>
Auth-Type CHAP {<br>
chap<br>
}<br>
<br>
Auth-Type MS-CHAP {<br>
mschap<br>
}<br>
unix<br>
eap<br>
}<br>
<br>
preacct {<br>
preprocess<br>
acct_unique<br>
suffix<br>
files<br>
}<br>
post-proxy {<br>
eap<br>
}<br>
<br>
<br>
***********<br>
<u><i><b>eap.conf</b></i></u><br>
***********<br>
<br>
eap {<br>
default_eap_type = tls<br>
ignore_unknown_eap_types = no<br>
cisco_accounting_username_bug = no<br>
md5 {<br>
}<br>
leap<br>
{<br>
}<br>
gtc {<br>
auth_type = PAP<br>
}<br>
tls {<br>
private_key_password = 1234<br>
certificate_file = ${raddbdir}/certs/server_keycert.pem<br>
CA_file = ${raddbdir}/certs/cacert.pem<br>
dh_file = ${raddbdir}/certs/dh<br>
random_file = ${raddbdir}/certs/random<br>
fragment_size = 1024<br>
include_length = yes<br>
}<br>
mschapv2 {<br>
}<br>
}<br>
<br>
**************<br>
<i><u><b>clients.conf</b></u></i><br>
**************<br>
<br>
client 192.168.104.10 {<br>
secret = testing100<br>
shortname = firepro<br>
nastype = other<br>
}<br>
<br>
**************<br>
<i><u><b>users</b></u></i><br>
***************<br>
<br>
"sankalpk" User-Password := "mjreturns"<br>
<br>
<br>
<br>
*****************<br>
<i><u><b>radiusd -X output:</b></u></i><br>
*****************<br>
main: prefix = "/usr/local"<br>
main: localstatedir = "/usr/local/var"<br>
main: logdir = "/usr/local/var/log/radius"<br>
main: libdir = "/usr/local/lib"<br>
main: radacctdir = "/usr/local/var/log/radius/radacct"<br>
main: hostname_lookups = no<br>
main: max_request_time = 30<br>
main: cleanup_delay = 5<br>
main: max_requests = 1024<br>
main: delete_blocked_requests = 0<br>
main: port = 1645<br>
main: allow_core_dumps = no<br>
main: log_stripped_names = no<br>
main: log_file = "/usr/local/var/log/radius/radius.log"<br>
main: log_auth = no<br>
main: log_auth_badpass = no<br>
main: log_auth_goodpass = no<br>
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<br>
main: bind_address = 192.168.104.201 IP address [192.168.104.201]<br>
main: user = "(null)"<br>
main: group = "(null)"<br>
main: usercollide = no<br>
main: lower_user = "no"<br>
main: lower_pass = "no"<br>
main: nospace_user = "no"<br>
main: nospace_pass = "no"<br>
main: checkrad = "/usr/local/sbin/checkrad"<br>
main: proxy_requests = yes<br>
proxy: retry_delay = 5<br>
proxy: retry_count = 3<br>
proxy: synchronous = no<br>
proxy: default_fallback = yes<br>
proxy: dead_time = 120<br>
proxy: post_proxy_authorize = no<br>
proxy: wake_all_if_all_dead = no<br>
security: max_attributes = 200<br>
security: reject_delay = 1<br>
security: status_server = no<br>
main: debug_level = 0<br>
read_config_files: reading dictionary<br>
read_config_files: reading naslist<br>
Using deprecated naslist file. Support for this will go away soon.<br>
read_config_files: reading clients<br>
read_config_files: reading realms<br>
radiusd: entering modules setup<br>
Module: Library search path is /usr/local/lib<br>
Module: Loaded exec<br>
exec: wait = yes<br>
exec: program = "(null)"<br>
exec: input_pairs = "request"<br>
exec: output_pairs = "(null)"<br>
exec: packet_type = "(null)"<br>
rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>
Module: Instantiated exec (exec)<br>
Module: Loaded expr<br>
Module: Instantiated expr (expr)<br>
Module: Loaded PAP<br>
pap: encryption_scheme = "crypt"<br>
pap: auto_header = yes<br>
Module: Instantiated pap (pap)<br>
Module: Loaded CHAP<br>
Module: Instantiated chap (chap)<br>
Module: Loaded MS-CHAP<br>
mschap: use_mppe = yes<br>
mschap: require_encryption = no<br>
mschap: require_strong = no<br>
mschap: with_ntdomain_hack = no<br>
mschap: passwd = "(null)"<br>
mschap: ntlm_auth = "(null)"<br>
Module: Instantiated mschap (mschap)<br>
Module: Loaded System<br>
unix: cache = no<br>
unix: passwd = "(null)"<br>
unix: shadow = "(null)"<br>
unix: group = "(null)"<br>
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"<br>
unix: usegroup = no<br>
unix: cache_reload = 600<br>
Module: Instantiated unix (unix)<br>
Module: Loaded eap<br>
eap: default_eap_type = "tls"<br>
eap: timer_expire = 60<br>
eap: ignore_unknown_eap_types = no<br>
eap: cisco_accounting_username_bug = no<br>
rlm_eap: Loaded and initialized type md5<br>
rlm_eap: Loaded and initialized type leap<br>
gtc: challenge = "Password: "<br>
gtc: auth_type = "PAP"<br>
rlm_eap: Loaded and initialized type gtc<br>
tls: rsa_key_exchange = no<br>
tls: dh_key_exchange = yes<br>
tls: rsa_key_length = 512<br>
tls: dh_key_length = 512<br>
tls: verify_depth = 0<br>
tls: CA_path = "(null)"<br>
tls: pem_file_type = yes<br>
tls: private_key_file = "/usr/local/etc/raddb/certs/server_keycert.pem"<br>
tls: certificate_file = "/usr/local/etc/raddb/certs/server_keycert.pem"<br>
tls: CA_file = "/usr/local/etc/raddb/certs/cacert.pem"<br>
tls: private_key_password = "1234"<br>
tls: dh_file = "/usr/local/etc/raddb/certs/dh"<br>
tls: random_file = "/usr/local/etc/raddb/certs/random"<br>
tls: fragment_size = 1024<br>
tls: include_length = yes<br>
tls: check_crl = no<br>
tls: check_cert_cn = "(null)"<br>
tls: cipher_list = "(null)"<br>
tls: check_cert_issuer = "(null)"<br>
rlm_eap_tls: Loading the certificate file as a chain<br>
rlm_eap: Loaded and initialized type tls<br>
mschapv2: with_ntdomain_hack = no<br>
rlm_eap: Loaded and initialized type mschapv2<br>
Module: Instantiated eap (eap)<br>
Module: Loaded preprocess<br>
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"<br>
preprocess: hints = "/usr/local/etc/raddb/hints"<br>
preprocess: with_ascend_hack = no<br>
preprocess: ascend_channels_per_line = 23<br>
preprocess: with_ntdomain_hack = no<br>
preprocess: with_specialix_jetstream_hack = no<br>
preprocess: with_cisco_vsa_hack = no<br>
preprocess: with_alvarion_vsa_hack = no<br>
Module: Instantiated preprocess (preprocess)<br>
Module: Loaded realm<br>
realm: format = "suffix"<br>
realm: delimiter = "@"<br>
realm: ignore_default = no<br>
realm: ignore_null = no<br>
Module: Instantiated realm (suffix)<br>
Module: Loaded files<br>
files: usersfile = "/usr/local/etc/raddb/users"<br>
files: acctusersfile = "/usr/local/etc/raddb/acct_users"<br>
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"<br>
files: compat = "no"<br>
Module: Instantiated files (files)<br>
Module: Loaded Acct-Unique-Session-Id<br>
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"<br>
Module: Instantiated acct_unique (acct_unique)<br>
Module: Loaded detail<br>
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (detail)<br>
Module: Loaded radutmp<br>
radutmp: filename = "/usr/local/var/log/radius/radutmp"<br>
radutmp: username = "%{User-Name}"<br>
radutmp: case_sensitive = yes<br>
radutmp: check_with_nas = yes<br>
radutmp: perm = 384<br>
radutmp: callerid = yes<br>
Module: Instantiated radutmp (radutmp)<br>
Listening on authentication 192.168.104.201:1645<br>
Listening on accounting 192.168.104.201:1646<br>
Ready to process requests.<br>
<br>
<br>
<br>
<br>
<u><i><b>As I try to connect to the AP through a Windows Vista Client:</b></i></u><br>
<br>
rad_recv: Access-Request packet from host 192.168.104.168:3082, id=10,
length=158<br>
User-Name = "sankalpk"<br>
NAS-IP-Address = 192.168.1.254<br>
NAS-Port = 0<br>
Called-Station-Id = "00-21-DE-00-17-B2:Wireless"<br>
Calling-Station-Id = "00-19-D2-AD-4A-BF"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x0201000d0173616e6b616c706b<br>
Message-Authenticator = 0x932ae386762803662714a332a5b35fab<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 0<br>
modcall[authorize]: module "preprocess" returns ok for request 0<br>
modcall[authorize]: module "chap" returns noop for request 0<br>
modcall[authorize]: module "mschap" returns noop for request 0<br>
rlm_realm: No '@' in User-Name = "sankalpk", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 0<br>
rlm_eap: EAP packet type response id 1 length 13<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
modcall[authorize]: module "eap" returns updated for request 0<br>
users: Matched entry sankalpk at line 95<br>
modcall[authorize]: module "files" returns ok for request 0<br>
modcall: leaving group authorize (returns updated) for request 0<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 0<br>
rlm_eap: EAP Identity<br>
rlm_eap: processing type tls<br>
rlm_eap_tls: Requiring client certificate<br>
rlm_eap_tls: Initiate<br>
rlm_eap_tls: Start returned 1<br>
modcall[authenticate]: module "eap" returns handled for request 0<br>
modcall: leaving group authenticate (returns handled) for request 0<br>
Sending Access-Challenge of id 10 to 192.168.104.168 port 3082<br>
EAP-Message = 0x010200060d20<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xe1fca91bd45ab011bb1d2be124a4a7f6<br>
Finished request 0<br>
Going to the next request<br>
--- Walking the entire request list ---<br>
Waking up in 6 seconds...<br>
rad_recv: Access-Request packet from host 192.168.104.168:3082, id=10,
length=158<br>
Sending duplicate reply to client firepro:3082 - ID: 10<br>
Re-sending Access-Challenge of id 10 to 192.168.104.168 port 3082<br>
--- Walking the entire request list ---<br>
Waking up in 3 seconds...<br>
--- Walking the entire request list ---<br>
Cleaning up request 0 ID 10 with timestamp 49a40ea8<br>
Nothing to do. Sleeping until we see a request.<br>
rad_recv: Access-Request packet from host 192.168.104.168:3082, id=10,
length=158<br>
User-Name = "sankalpk"<br>
NAS-IP-Address = 192.168.1.254<br>
NAS-Port = 0<br>
Called-Station-Id = "00-21-DE-00-17-B2:Wireless"<br>
Calling-Station-Id = "00-19-D2-AD-4A-BF"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x0201000d0173616e6b616c706b<br>
Message-Authenticator = 0x932ae386762803662714a332a5b35fab<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 1<br>
modcall[authorize]: module "preprocess" returns ok for request 1<br>
modcall[authorize]: module "chap" returns noop for request 1<br>
modcall[authorize]: module "mschap" returns noop for request 1<br>
rlm_realm: No '@' in User-Name = "sankalpk", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 1<br>
rlm_eap: EAP packet type response id 1 length 13<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
modcall[authorize]: module "eap" returns updated for request 1<br>
users: Matched entry sankalpk at line 95<br>
modcall[authorize]: module "files" returns ok for request 1<br>
modcall: leaving group authorize (returns updated) for request 1<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 1<br>
rlm_eap: EAP Identity<br>
rlm_eap: processing type tls<br>
rlm_eap_tls: Requiring client certificate<br>
rlm_eap_tls: Initiate<br>
rlm_eap_tls: Start returned 1<br>
modcall[authenticate]: module "eap" returns handled for request 1<br>
modcall: leaving group authenticate (returns handled) for request 1<br>
Sending Access-Challenge of id 10 to 192.168.104.168 port 3082<br>
EAP-Message = 0x010200060d20<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x64df003490d42bf16e7fc57ee4c9afde<br>
Finished request 1<br>
Going to the next request<br>
--- Walking the entire request list ---<br>
Waking up in 6 seconds...<br>
<br>
<br>
<br>
<br>
<br>
DISCLAIMER: This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may containconfidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. The recipient acknowledges that Tulip Telecom Limited is unable to exercise control or ensure or guarantee the integrity of/overthe contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Tulip Telecom Limited. Before opening any attachments please check them for viruses!
and defects.
<br>
</body>
</html>