Try by adding <div>jwinius Cleartext-Password := xxx</div><div><br><div><div><font color="#222222" face="arial, sans-serif"><br></font><br><div class="gmail_quote">On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <span dir="ltr"><<a href="mailto:jwinius@umrk.nl" target="_blank">jwinius@umrk.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi folks,<br>
<br>
Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped.<br>
<br>
Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following:<br>
<br>
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used "LongStringNumberOne" for both the input and output passwords.<br>
Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system.<br>
<br>
2.) Added the following lines to the end of /etc/freeradius/clients:<br>
<br>
client <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> {<br>
secret = LongStringNumberTwo<br>
shortname = mynet<br>
}<br>
<br>
3.) Added the following line to the end of /etc/freeradius/users:<br>
<br>
DEFAULT Auth-Type = Pam<br>
<br>
4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to:<br>
<br>
default_eap_type = ttls<br>
private_key_password = LongStringNumberOne<br>
<br>
5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to:<br>
<br>
user = root<br>
<br>
6.) In both /etc/freeradius/sites-enabled/<u></u>default and /etc/freeradius/sites-enabled/<u></u>inner-tunnel, I uncommented the "pam" entry in section "authenticate".<br>
<br>
7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified:<br>
<br>
@include common-auth<br>
@include common-account<br>
@include common-password<br>
@include common-session<br>
<br>
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows:<br>
<br>
Wireless Mode AP<br>
Wireless Network Mode Mixed<br>
Wireless Network Name (SSID) mynet<br>
Wireless Channel 6 - 2.437 GHz<br>
Wireless SSID Broadcast Enable<br>
Network Configuration Bridged<br>
<br>
Security Mode WPA2 Enterprise<br>
WPA Algorithms TKIP+AES<br>
RADIUS Server Address 192.168.2.12<br>
RADIUS Server Port 1812<br>
RADIUS Shared Secret LongStringNumberTwo<br>
Key Renewal Interval (in sec.) 3600<br>
<br>
Unfortunately, after starting the server in debugging mode with "freeradius -X", my client's authentication attempts get rejected and I get the following output from the freeradius server:<br>
<br>
==============================<u></u>===========<br>
<br>
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,<br>
length=245<br>
Cleaning up request 6 ID 0 with timestamp +12<br>
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<u></u>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<u></u>!!!!!!!!!!<br>
WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!<br>
WARNING: !! Please read <a href="http://wiki.freeradius.org/" target="_blank">http://wiki.freeradius.org/</a><br>
Certificate_Compatibility<br>
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<u></u>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<u></u>!!!!!!!!!!<br>
User-Name = "jwinius"<br>
NAS-IP-Address = 192.168.2.2<br>
Called-Station-Id = "0014bf72f676"<br>
Calling-Station-Id = "00110a81fb2b"<br>
NAS-Identifier = "0014bf72f676"<br>
NAS-Port = 17<br>
Framed-MTU = 1400<br>
State = 0x2ecb21dd28cc340c8873b5871c63<u></u>7572<br>
NAS-Port-Type = Wireless-802.11<br>
EAP-Message = 0x020700701500170301002073bdd7<u></u>051dfb44f3caccd4c92...<br>
Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04<u></u>71b0<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/<br>
default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 7 length 112<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/<u></u>default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] eaptls_verify returned 7<br>
[ttls] Done initial handshake<br>
[ttls] eaptls_process returned 7<br>
[ttls] Session established. Proceeding to decode tunneled attributes.<br>
[ttls] Got tunneled request<br>
EAP-Message = 0x0201001604109f00ed2b3ff2dd51<u></u>11997f0ba6cee99e<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>
[ttls] Sending tunneled request<br>
EAP-Message = 0x0201001604109f00ed2b3ff2dd51<u></u>11997f0ba6cee99e<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>
User-Name = "jwinius"<br>
State = 0xdbd7fca1dbd6f80c791225e3340e<u></u>a6e4<br>
server inner-tunnel {<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/<br>
inner-tunnel<br>
+- entering group authorize {...}<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
++[control] returns noop<br>
[eap] EAP packet type response id 1 length 22<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
[files] users: Matched entry DEFAULT at line 211<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/<u></u>inner-tunnel<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/md5<br>
[eap] processing type md5<br>
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication<br>
[eap] Handler failed in EAP/md5<br>
[eap] Failed in EAP select<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
} # server inner-tunnel<br>
[ttls] Got tunneled reply code 3<br>
EAP-Message = 0x04010004<br>
Message-Authenticator = 0x0000000000000000000000000000<u></u>0000<br>
[ttls] Got tunneled Access-Reject<br>
[eap] Handler failed in EAP/ttls<br>
rlm_eap_ttls: Freeing handler for user jwinius<br>
[eap] Failed in EAP select<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/freeradius/sites-enabled/<u></u>default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> jwinius<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 7 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 7<br>
Sending Access-Reject of id 0 to 192.168.2.2 port 1025<br>
EAP-Message = 0x04070004<br>
Message-Authenticator = 0x0000000000000000000000000000<u></u>0000<br>
<br>
==============================<u></u>===========<br>
<br>
Any idea what I'm doing wrong?<br>
<br>
Thanks,<br>
<br>
Jaap<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div><br></div></div></div>