Re: Freeradius-Devel Digest, Vol 112, Issue 6
Hi Stefan, Thank you for reply. But By default FR takes MS-CHAPv2. How to configure to GTC/PAP? However i will try FR connects to samba or active directory. Regards Ammu On Fri, Aug 8, 2014 at 3:30 PM, < freeradius-devel-request@lists.freeradius.org> wrote:
Send Freeradius-Devel mailing list submissions to freeradius-devel@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-devel or, via email, send a message with subject or body 'help' to freeradius-devel-request@lists.freeradius.org
You can reach the person managing the list at freeradius-devel-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Devel digest..."
Today's Topics:
1. RE: EAP-FAST phase2 failed (Stefan Paetow)
----------------------------------------------------------------------
Message: 1 Date: Thu, 7 Aug 2014 21:25:46 +0000 From: Stefan Paetow <Stefan.Paetow@ja.net> To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org> Subject: RE: EAP-FAST phase2 failed Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF@EXC001> Content-Type: text/plain; charset="iso-8859-1"
The log says this:
EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE
Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2).
Stefan
________________________________ From: freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Ammu Argh [ammu3634@gmail.com] Sent: 07 August 2014 17:16 To: freeradius-devel@lists.freeradius.org Subject: EAP-FAST phase2 failed
Hi,
I was trying to connect to AP using EAP-FAST authentication. But Freeradius EAP-FAST failed with below error:
State = 0x97d5bb340dc1cb0c525e6b44738f3553 Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 107 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 202 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group EAP { [eap2] Request found, released from the list EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE SSL: Received packet(len=107) - Flags 0x01 SSL: Received packet: Flags 0x1 Message Length 0 EAP-FAST: Received 101 bytes encrypted data for Phase 2 EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED] EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory) EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69 EAP-FAST: Received Phase 2: code=2 identifier=4 length=63 EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE EAP: EAP entering state SELECT_ACTION EAP: getDecision: method failed -> FAILURE EAP: EAP entering state FAILURE EAP: Building EAP-Failure (id=4) ==> Fail [eap2] Freeing handler EAP: Server state machine removed ++[eap2] = reject +} # group EAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 117 to 10.10.2.2 port 46531 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
Other details are as below"
Users file" wifi Auth-Type := EAP, Cleartext-Password := "welcome123"
eap.conf eap2 { fast { pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f eap_fast_a_id = tjsys eap_fast_a_id_info = my_server eap_fast_prov = 3 pac_key_lifetime = 604800 # 7 days pac_key_refresh_tim = 86400 }
tls { ca_cert = /usr/local/etc/raddb/certs/ca.pem server_cert = /usr/local/etc/raddb/certs/server.pem private_key_file = /usr/local/etc/raddb/certs/server.key private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random } }
Sites-enabled/default: Added in authenticate block Auth-Type EAP { eap2 }
wpa_supplicant.conf update_config=1 ap_scan=1 fast_reauth=1
network={ ssid="WiFi-11g" key_mgmt=WPA-EAP proto=WPA pairwise=TKIP group=TKIP eap=FAST anonymous_identity="fast" identity="fast" password="koro" phase1="fast_provisioning=3" pac_file="/data/misc/wifi/eap_fast.pac" }
FreeRADIUS Version 2.2.5, OpenSSL 1.0.1e 11 Ubuntu 14.04.1
Please help me to get it work.
Regards Ammu
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
End of Freeradius-Devel Digest, Vol 112, Issue 6 ************************************************
Here are a couple resources that would be worth reading: http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW... http://deployingradius.com/documents/configuration/active_directory.html The second is actually referenced in the first on the FR wiki. — Aaron On Aug 8, 2014, at 11:21 AM, Ammu Argh <ammu3634@gmail.com<mailto:ammu3634@gmail.com>> wrote: Hi Stefan, Thank you for reply. But By default FR takes MS-CHAPv2. How to configure to GTC/PAP? However i will try FR connects to samba or active directory. Regards Ammu On Fri, Aug 8, 2014 at 3:30 PM, <freeradius-devel-request@lists.freeradius.org<mailto:freeradius-devel-request@lists.freeradius.org>> wrote: Send Freeradius-Devel mailing list submissions to freeradius-devel@lists.freeradius.org<mailto:freeradius-devel@lists.freeradius.org> To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-devel or, via email, send a message with subject or body 'help' to freeradius-devel-request@lists.freeradius.org<mailto:freeradius-devel-request@lists.freeradius.org> You can reach the person managing the list at freeradius-devel-owner@lists.freeradius.org<mailto:freeradius-devel-owner@lists.freeradius.org> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Devel digest..." Today's Topics: 1. RE: EAP-FAST phase2 failed (Stefan Paetow) ---------------------------------------------------------------------- Message: 1 Date: Thu, 7 Aug 2014 21:25:46 +0000 From: Stefan Paetow <Stefan.Paetow@ja.net<mailto:Stefan.Paetow@ja.net>> To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org<mailto:freeradius-devel@lists.freeradius.org>> Subject: RE: EAP-FAST phase2 failed Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF@EXC001> Content-Type: text/plain; charset="iso-8859-1" The log says this: EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2). Stefan ________________________________ From: freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org<mailto:ja.net@lists.freeradius.org> [freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org<mailto:ja.net@lists.freeradius.org>] on behalf of Ammu Argh [ammu3634@gmail.com<mailto:ammu3634@gmail.com>] Sent: 07 August 2014 17:16 To: freeradius-devel@lists.freeradius.org<mailto:freeradius-devel@lists.freeradius.org> Subject: EAP-FAST phase2 failed Hi, I was trying to connect to AP using EAP-FAST authentication. But Freeradius EAP-FAST failed with below error: State = 0x97d5bb340dc1cb0c525e6b44738f3553 Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 107 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 202 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group EAP { [eap2] Request found, released from the list EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE SSL: Received packet(len=107) - Flags 0x01 SSL: Received packet: Flags 0x1 Message Length 0 EAP-FAST: Received 101 bytes encrypted data for Phase 2 EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED] EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory) EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69 EAP-FAST: Received Phase 2: code=2 identifier=4 length=63 EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE EAP: EAP entering state SELECT_ACTION EAP: getDecision: method failed -> FAILURE EAP: EAP entering state FAILURE EAP: Building EAP-Failure (id=4) ==> Fail [eap2] Freeing handler EAP: Server state machine removed ++[eap2] = reject +} # group EAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 117 to 10.10.2.2 port 46531 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Other details are as below" Users file" wifi Auth-Type := EAP, Cleartext-Password := "welcome123" eap.conf eap2 { fast { pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f eap_fast_a_id = tjsys eap_fast_a_id_info = my_server eap_fast_prov = 3 pac_key_lifetime = 604800 # 7 days pac_key_refresh_tim = 86400 } tls { ca_cert = /usr/local/etc/raddb/certs/ca.pem server_cert = /usr/local/etc/raddb/certs/server.pem private_key_file = /usr/local/etc/raddb/certs/server.key private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random } } Sites-enabled/default: Added in authenticate block Auth-Type EAP { eap2 } wpa_supplicant.conf update_config=1 ap_scan=1 fast_reauth=1 network={ ssid="WiFi-11g" key_mgmt=WPA-EAP proto=WPA pairwise=TKIP group=TKIP eap=FAST anonymous_identity="fast" identity="fast" password="koro" phase1="fast_provisioning=3" pac_file="/data/misc/wifi/eap_fast.pac" } FreeRADIUS Version 2.2.5, OpenSSL 1.0.1e 11 Ubuntu 14.04.1 Please help me to get it work. Regards Ammu Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html End of Freeradius-Devel Digest, Vol 112, Issue 6 ************************************************ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (2)
-
Aaron Hurt -
Ammu Argh