<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Hi ,<div>I am happing problem that I couldn't resolve alone. </div><div>If anyone in the list could help me will be appreciated.</div><div><br></div><div>I have access point EnGenius 2610 and I run freeradius under RHEL5.</div><div>RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to Wifi Client with IP 192.168.0.1 (Client is Windows XP).</div><div><br></div><div>Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP.</div><div><br></div><div>when I run radiusd -X everytime seem fine.</div><div><br></div><div><div>Ready to process requests.</div><div>rad_recv: Access-Request packet from host 192.168.0.3 port 1024, id=4, length=194</div><div> User-Name = "GRACELIA-4E4DD9\\gracelia"</div><div> NAS-IP-Address = 192.168.0.3</div><div> NAS-Port = 0</div><div> Called-Station-Id = "00-02-6C-5B-0A-A3:mars_net"</div><div> Calling-Station-Id = "00-80-A8-C1-C0-A3"</div><div> Framed-MTU = 1400</div><div> NAS-Port-Type = Wireless-802.11</div><div> Connect-Info = "CONNECT 11Mbps 802.11b"</div><div> EAP-Message = 0x020d001d0147524143454c49412d3445344444395c67726163656c6961</div><div> Message-Authenticator = 0x5ad14aa7bbf1f169e0d16b594a0888ea</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>[suffix] No '@' in User-Name = "GRACELIA-4E4DD9\gracelia", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 13 length 29</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>++[eap] returns updated</div><div>++[unix] returns notfound</div><div>[files] users: Matched entry GRACELIA-4E4DD9\gracelia at line 94</div><div>[files] expand: Hello, %{User-Name} -> Hello, GRACELIA-4E4DD9\gracelia</div><div>++[files] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>[pap] Found existing Auth-Type, not changing it.</div><div>++[pap] returns noop</div><div>Found Auth-Type = EAP</div><div>+- entering group authenticate {...}</div><div>[eap] EAP Identity</div><div>[eap] processing type tls</div><div>[tls] Initiate</div><div>[tls] Start returned 1</div><div>++[eap] returns handled</div><div>Sending Access-Challenge of id 4 to 192.168.0.3 port 1024</div><div> Reply-Message = "Hello, GRACELIA-4E4DD9\\gracelia"</div><div> EAP-Message = 0x010e00061920</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x1b2c209a1b2239d39cc5bd6f4ac49d46</div><div>Finished request 18.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>Cleaning up request 18 ID 4 with timestamp +307</div><div>Ready to process requests.</div><div><br></div><div>But it keep looping Access-Challege and Access-Request without Access-Reject or authenticated. I believe the certificate already have OID.</div><div><br></div><div>When I check with Access Point Log..here the output</div><div><br></div><div><div>Jan 1 00:17:35 (none) daemon.debug setup.cgi[465]: main: process ./html/CM_SystemStatus.htm takes 2300 ms----------------------------</div><div>Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: aborting authentication</div><div>Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: unauthorizing port</div><div>Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: received EAP packet (code=2 id=54 len=29) from STA: EAP Response-Identity (1)</div><div>Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: STA identity 'GRACELIA-4E4DD9\gracelia'</div><div>Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication server</div><div>Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds </div><div>Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:c3 RADIUS: Resending RADIUS message (id=28)</div><div>Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 1 seconds</div><div>Jan 1 00:17:45 (none) daemon.debug setup.cgi[491]: cgi_setup::main()------------------>HTTP_REFERER=http://192.168.0.3/setup.cgi?reqfile=./html/left.htm</div><div><br></div></div><div>if I try to bind to eth1 or IP-Address, the server not receipt any request.</div><div><br></div><div>Here the client.conf setting</div><div><br></div><div><div># -*- text -*-</div><div>##</div><div>## clients.conf -- client configuration directives</div><div>##</div><div>##<span class="Apple-tab-span" style="white-space:pre"> </span>$Id$</div><div><br></div><div>#######################################################################</div><div>#</div><div># Define RADIUS clients (usually a NAS, Access Point, etc.).</div><div><br></div><div>#</div><div># Defines a RADIUS client.</div><div>#</div><div># '127.0.0.1' is another name for 'localhost'. It is enabled by default,</div><div># to allow testing of the server after an initial installation. If you</div><div># are not going to be permitting RADIUS queries from localhost, we suggest</div><div># that you delete, or comment out, this entry.</div><div>#</div><div>#</div><div><br></div><div>#</div><div># Each client has a "short name" that is used to distinguish it from</div><div># other clients.</div><div>#</div><div># In version 1.x, the string after the word "client" was the IP</div><div># address of the client. In 2.0, the IP address is configured via</div><div># the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x</div><div># format is still accepted.</div><div>#</div><div>client localhost {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Allowed values are:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>dotted quad (1.2.3.4)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># hostname (radius.example.com)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ipaddr = 192.168.1.4</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span># OR, you can use an IPv6 address, but not both</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># at the same time.</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>ipv6addr = ::<span class="Apple-tab-span" style="white-space:pre"> </span># any. ::1 == localhost</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># A note on DNS: We STRONGLY recommend using IP addresses</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># rather than host names. Using host names means that the</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># server will do DNS lookups when it starts, making it</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># dependent on DNS. i.e. If anything goes wrong with DNS,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># the server won't start!</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The server also looks up the IP address from DNS once, and</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># only once, when it starts. If the DNS record is later</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># updated, the server WILL NOT see that update.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span># One client definition can be applied to an entire network.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># "netmask = 8"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># If not specified, the default netmask is 32 (i.e. /32)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># We do NOT recommend using anything other than 32. There</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># are usually other, better ways to acheive the same goal.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Using netmasks of other than 32 can cause security issues.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># You can specify overlapping networks (127/8 and 127.0/16)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># In that case, the smallest possible network will be used</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># as the "best match" for the client.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Clients can also be defined dynamically at run time, based</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># etc.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># See raddb/sites-available/dynamic-clients for details.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><br></div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>netmask = 32</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The shared secret use to "encrypt" and "sign" packets between</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># the NAS and FreeRADIUS. You MUST change this secret from the</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># default, otherwise it's not a secret any more!</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The secret can be any string, up to 8k characters in length.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Control codes can be entered vi octal encoding,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>e.g. "\101\102" == "AB"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Quotation marks can be entered by escaping them,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>e.g. "foo\"bar"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># A note on security: The security of the RADIUS protocol</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># depends COMPLETELY on this secret! We recommend using a</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># shared secret that is composed of:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>upper case letters</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>lower case letters</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>numbers</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># And is at LEAST 8 characters long, preferably 16 characters in</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># length. The secret MUST be random, and should not be words,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># phrase, or anything else that is recognizable.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The default secret below is only for testing, and should</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># not be used in any real environment.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>secret<span class="Apple-tab-span" style="white-space:pre"> </span>= testing123</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Old-style clients do not send a Message-Authenticator</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># in an Access-Request. RFC 5080 suggests that all clients</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># SHOULD include it in an Access-Request. The configuration</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># item below allows the server to require it. If a client</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># is required to include a Message-Authenticator and it does</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># not, then the packet will be silently discarded.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># allowed values: yes, no</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>require_message_authenticator = no</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The short name is used as an alias for the fully qualified</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># domain name, or the IP address.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># It is accepted for compatibility with 1.x, but it is no</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># longer necessary in 2.0</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>shortname<span class="Apple-tab-span" style="white-space:pre"> </span>= localhost</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># the following three fields are optional, but may be used by</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># checkrad.pl for simultaneous use checks</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The nastype tells 'checkrad.pl' which NAS-specific method to</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># use to query the NAS for simultaneous use.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Permitted NAS types are:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>cisco</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>computone</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>livingston</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>max40xx</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>multitech</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>netserver</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>pathras</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>patton</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>portslave</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>tc</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>usrhiper</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#<span class="Apple-tab-span" style="white-space:pre"> </span>other<span class="Apple-tab-span" style="white-space:pre"> </span># for all other types</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>nastype = other<span class="Apple-tab-span" style="white-space:pre"> </span># localhost isn't usually a NAS...</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The following two configurations are for future use.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># The 'naspasswd' file is currently used to store the NAS</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># login name and password, which is used by checkrad.pl</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># when querying the NAS for simultaneous use.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>login = !root</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>password = someadminpas</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># As of 2.0, clients can also be tied to a virtual server.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># This is done by setting the "virtual_server" configuration</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># item, as in the example below.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>virtual_server = home1</div><div>}</div><div><br></div><div># IPv6 Client</div><div>#client ::1 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>secret<span class="Apple-tab-span" style="white-space:pre"> </span>= testing123</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>shortname<span class="Apple-tab-span" style="white-space:pre"> </span>= localhost</div><div>#}</div><div>#</div><div># All IPv6 Site-local clients</div><div>#client fe80::/16 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>secret<span class="Apple-tab-span" style="white-space:pre"> </span>= testing123</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>shortname<span class="Apple-tab-span" style="white-space:pre"> </span>= localhost</div><div>#}</div><div><br></div><div>#client some.host.org {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>secret<span class="Apple-tab-span" style="white-space:pre"> </span>= testing123</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>shortname<span class="Apple-tab-span" style="white-space:pre"> </span>= localhost</div><div>#}</div><div><br></div><div>#</div><div># You can now specify one secret for a network of clients.</div><div># When a client request comes in, the BEST match is chosen.</div><div># i.e. The entry from the smallest possible network.</div><div>#</div><div>client 192.168.0.0/24 {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>secret<span class="Apple-tab-span" style="white-space:pre"> </span>= testing123-1</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>shortname<span class="Apple-tab-span" style="white-space:pre"> </span>= private-network-1</div><div>}</div><div>#</div><div>#client 192.168.0.0/16 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>secret<span class="Apple-tab-span" style="white-space:pre"> </span>= testing123-2</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>shortname<span class="Apple-tab-span" style="white-space:pre"> </span>= private-network-2</div><div>#}</div><div><br></div><div><br></div><div>#client 10.10.10.10 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span># secret and password are mapped through the "secrets" file.</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>secret = testing123</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>shortname = liv1</div><div># # the following three fields are optional, but may be used by</div><div># # checkrad.pl for simultaneous usage checks</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>nastype = livingston</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>login = !root</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>password = someadminpas</div><div>#}</div><div><br></div><div>#######################################################################</div><div>#</div><div># Per-socket client lists. The configuration entries are exactly</div><div># the same as above, but they are nested inside of a section.</div><div>#</div><div># You can have as many per-socket client lists as you have "listen"</div><div># sections, or you can re-use a list among multiple "listen" sections.</div><div>#</div><div># Un-comment this section, and edit a "listen" section to add:</div><div># "clients = per_socket_clients". That IP address/port combination</div><div># will then accept ONLY the clients listed in this section.</div><div>#</div><div>#clients per_socket_clients {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>client 192.168.3.4 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>secret = testing123</div><div># }</div><div>#}</div></div><div><br></div><div>Am I wrongly configured in client.conf hence NAS-port = 0.</div><div><br></div><div><br></div><div><br></div></div> <br /><hr />With all the latest places, searching has never been easier. <a href='http://clk.atdmt.com/NMN/go/157631292/direct/01/' target='_new'>Looking for a new home?</a></body>
</html>