Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2011
- 122 participants
- 144 discussions
Hi
I have problem with EAP
CAN YOU help me
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x90d4d2dd94c2cb92 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=97,
length=144
User-Name = "12"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021600061900
State = 0x90d4d2dd94c2cb924b3cdc7780b3dc35
Message-Authenticator = 0xfa9a966f33ce0c76a0d15f303480f4ea
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> 12
[sql] sql_set_user escaped user --> '12'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '12' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '12' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'12' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 97 to 172.16.15.1 port 1027
EAP-Message =
0x0117002b19001703010020674bd0fe9ec9f56973ac49079d2029c578bad4ad1dac11d67968154832aa91fb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90d4d2dd95c3cb924b3cdc7780b3dc35
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=98,
length=181
User-Name = "12"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0217002b19001703010020f8c94f58aabcbdadb5aa695270bfa559530931a394827ef3894bfc31d1f7f4a5
State = 0x90d4d2dd95c3cb924b3cdc7780b3dc35
Message-Authenticator = 0x54cf580c0926a0e3575707db7ec6e193
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> 12
[sql] sql_set_user escaped user --> '12'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '12' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '12' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'12' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[eap] EAP packet type response id 23 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - 12
[peap] Got inner identity '12'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02170007013132
server {
PEAP: Setting User-Name to 12
Sending tunneled request
EAP-Message = 0x02170007013132
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "12"
server inner-tunnel {
No such virtual server "inner-tunnel"
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 98 to 172.16.15.1 port 1027
EAP-Message =
0x0118002b190017030100201edf1da3f3138e40f27c63d735a7bff7351f5abfac971a15b3d4c2369596858c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90d4d2dd96cccb924b3cdc7780b3dc35
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=99,
length=181
User-Name = "12"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0218002b190017030100203bfebde9a8e41dc51e361c135f24a7d001553e501d1989e8273c42570d62bff4
State = 0x90d4d2dd96cccb924b3cdc7780b3dc35
Message-Authenticator = 0xcad2dc0f9ca9a3aab35ea19c0b9b6356
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> 12
[sql] sql_set_user escaped user --> '12'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '12' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '12' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'12' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[eap] EAP packet type response id 24 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Sending Access-Reject of id 99 to 172.16.15.1 port 1027
EAP-Message = 0x04180004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 23.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 21 ID 97 with timestamp +108
Cleaning up request 22 ID 98 with timestamp +108
Cleaning up request 23 ID 99 with timestamp +108
Ready to process requests.
THANK YOU WITH BEST REGARDS
AMIN AHOORA
3
4
I've got a client's server running FreeRADIUS 2.1.10 from source. Linux
kernel 2.6.35.7, heavily customized Slackware 13.0 So far, not using
chroot, running as root.
It's a EAP-TLS setup with OpenSSL verifying via 'client = ',
tmpdir = /tmp/radiusd
Everything has been fine for weeks, but this morning:
Jan 3 08:04:32 dns1 radiusd[22737]: Invalid user: [xxxxxx/<no User-Password
attribute>] (from client xxxx port 0 cli xx-xx-xx-xx-xx-xx)
Jan 3 08:04:36 dns1 radiusd[22737]: [auth_log] rlm_detail: Couldn't open file
/var/log/radius/radacct/x.x.x.x/auth-detail-20110103: Too many open files
I checked 'lsof -p' against the running radiusd and the line count of it's
output was 1054. Other than the typical linked libraries, socket, etc. at
the top, the rest was "(deleted)" lines like this one:
radiusd 22737 root 1022u REG 104,2 1334 404429
/tmp/radiusd/radiusd.client.XXGcdadx (deleted)
In the meantime, I raised the limit with ulimit and restarted.
I'm open to further (late night) testing, patching, whatever...
Thanks,
Jason
--
Jason Englander <jason(a)englanders.us>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
2
3
Help me
i read full documentation of this server but problem remain
i send you with last email in sql module log
and i this maybe occurs with my sql configuration but in file mode module i
have same problem
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Nov
14 2010 at 03:05:12
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/modules/files
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "aminahooradkpw"
nastype = "other"
}
client 10.10.10.2 {
require_message_authenticator = no
secret = "aminahooradkpw"
shortname = "SingleRouter"
nastype = "mikrotik"
}
client 192.168.137.2 {
require_message_authenticator = no
secret = "aminahooradkpw"
shortname = "SingleRouter"
nastype = "mikrotik"
}
client 172.16.15.1 {
require_message_authenticator = no
secret = "dkpw"
shortname = "wireless"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/radiusd.conf
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/radiusd.conf
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_cert_cn = "%{User-Name}"
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
WARNING: The directive 'bind_address' is deprecated, and will be removed in
future versions of FreeRADIUS. Please edit the configuration files to use
the directive 'listen'.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=176,
length=127
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02110007013130
Message-Authenticator = 0x04fff75e7f186f6ea10588cb2241d5d2
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 17 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 176 to 172.16.15.1 port 1027
EAP-Message = 0x011200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9cb3b165fbd692931fddb1e7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=177,
length=222
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0212005419800000004a16030100450100004103014d150aea2b4d30a28baa51de77dde94e3089e861c19507aeb18d51fae369150b00001a002f000500040035000a000900030008003300390016001500140100
State = 0x9ca1a80e9cb3b165fbd692931fddb1e7
Message-Authenticator = 0x03f021f9c6cb610f8043acacd690bb14
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 18 length 84
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 74
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0045], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 177 to 172.16.15.1 port 1027
EAP-Message =
0x0113040019c00000089b160301002a0200002603014d0d79121f619ae704fedcbf9402c4aed6108b549489614209008236d368e5b700002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039313131323130323732355a170d3130313131323130323732355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ed4b1ec73b577eb4dd302dc0192331e6e40993f78258093329b68770e5e928e1461a574ce4132402dd833efec617ff947bc6da7606f3ea98e628113ad6cc
EAP-Message =
0xabe291939f4b51566ff040429e307a26bea0beaea5ba59ddafe252c9eaee68ec220f0bf86d147dd1d20ba2257c168b0b9b1a4ca74417142b6a9c860552aa014cfd2ac15ec28ad1803eda7fe54e31bcf5fe774c9445337d94fa53a3638936a1edba4cedc9d7715919fade13eba12d84de71550a214ce20f985919cd4e4a3fc555f0117a0137eb93edeb98ff973367e1535737d76a62692870da46bbacd24c1f47a6f95594688a6c76a660e371d0ee68a6714389ee571e02283028d71161aad17aadef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007348a9f7eb447a0a18
EAP-Message =
0x1a35b4290a56356ef5bdd344c898ae5782513d75d21362e94f76c6adc2c9f119f49e142c786edcc26ffb9e1b9f67013c32f5b289c6963372be252bf780766be2861ec76e3b5afdbe6ff3486bf7ad65079b41c000c72d105b8c95d0bdf2c24553f9578d71beb518892510fc3205ef923fb02ed4ac3d282d8cfa9d173ba5cc3e47949ed06ef6fbc8328a86ff45c50061f0d0d5e41d7712a92a927497e5c9f7c6f5d07ead4e9ffe1a866ffa134d5f5aeae24fb6c9b350a025a0db619e6a2edabac6ef7e80b72ac02c87feea8f951c4ddd3292e087a52a8265e99dcd4cde088847424f21879c6d20f04e412363885aaec4973e7815fcfc53230004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9db2b165fbd692931fddb1e7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=178,
length=144
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021300061900
State = 0x9ca1a80e9db2b165fbd692931fddb1e7
Message-Authenticator = 0x1137081fd9ba42765a28a148ee37c3da
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 19 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 178 to 172.16.15.1 port 1027
EAP-Message =
0x011403fc194000dcdbb13f82d4ce56300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313131323130323732355a170d3130313131323130323732355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4a62d9a3d9c2555520f25042b2a8b08ba1e61f07eee939363de3239d5d522b79938a269dae2eb5881c9e60fba117d1dcdbc83407a13bdde6a5d1ffd630e9613c34fad618dee5733d6ebc5df0ed3a641705baaa7250ce6a558ccef6f7def5f18f99bcc908f5a0e708f158ee77ecddc
EAP-Message =
0x8969bdf71edf554961b83f8c719cb533f47a592d81e16e77b201ed464f09be9125da469bbb0e43bc76e23bc01f2eb78c7cca22e50382a384908b7fb1f416503d37b1c955303a144ca270259872f80c44ce20cf11a44e297ca763ac058de9cb83656ec62943d728f2c5499524542f3dbb61051d7e0a9a92d7fe883670624e751d7ec9fedc674cf73f4822361b8f263d2a650203010001a381fb3081f8301d0603551d0e041604146f2687e7262e22aecd2188eb6efb02eba39839fd3081c80603551d230481c03081bd80146f2687e7262e22aecd2188eb6efb02eba39839fda18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900dcdbb13f82d4ce56300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100647c9fcfe32740d5d6df5d621dd28948d3b5ba585446ce00a3f175f3fb60177f372d72b57463fd28220023dcc8873bd56b4bc89c39acdb8e334aaf6ac6009a784d7c780bd79366113bfbdb7d3af852bd2b9d
EAP-Message = 0x5759f29e94ec8aef
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9eb5b165fbd692931fddb1e7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=179,
length=144
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021400061900
State = 0x9ca1a80e9eb5b165fbd692931fddb1e7
Message-Authenticator = 0x312e182ce06032e4516f6d50a6c4c129
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 20 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 179 to 172.16.15.1 port 1027
EAP-Message =
0x011500b51900bf21a0b69a3e67caac09ed7c1cfbe98ac4b9e2d992a78310ee9b777b568fc84698be69b725c44305c38668cbfdf2fc4d2bd20a0a2ccca4a713772ac2d5867ce172062d8dba01d5fae9b313874d1eb94c2489edd82862b33ef58e0e0558093917fed55cb1a9b0f8fe70811709ca05d6ed1549e6377527c4a2c68c3ff021ae6f52fa1ba9e4832dad7a71d1f6775fdecb48936a9fff5e5e0910dc5645e144ad54538828a11e269616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9fb4b165fbd692931fddb1e7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=180,
length=476
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x021501501980000001461603010106100001020100498a4854d4465ef574b4954c3c8ee6b9ae2d8ee5cf9aa79e64d7bc3cf81f0be4ad0a50782e0af7e23c14ba838680fbaf95cd58afe9d8d95d8f0a17cc7278f9841fa2334fab620dee7d4f97675b0d3f729104e25cd46051d0731ead475a45a4d22b9e60f5db2026ffe3a73facda7e5f45715de1560ca853fcf80c89dbf0b8608c5743d86ee6d02605dce1061a91b92be6c1602070ae49b93d48dbef5f41cdd81bf1a0dcbc647f2a3c5658035530d44e222a7659ad7d6a5492d5c39ab5bc75b7cc2b689af8cf9092b92833509df984b19f32d98d5345ad77717505760bdd5ed9295a3ce1da0aff0012
EAP-Message =
0xc119bae4349284a4ad2e9fb29ba4effba1c5e1697194040f1403010001011603010030333c379e1cebfa25f09bdd6df6ea7960b7cfbe9e378b62b682c6d05f0afc08e1b6ae003652ebe60bac4709d46ad0e4ae
State = 0x9ca1a80e9fb4b165fbd692931fddb1e7
Message-Authenticator = 0xf40facdf859bf71c40af155b112cbf50
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 21 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 180 to 172.16.15.1 port 1027
EAP-Message =
0x0116004119001403010001011603010030fb7d3c24d1c65b12dfa94d1ecdc6ddcc9d646faa4ecd36827418b2332203481407386ca214b13d7ab1b8cf9662552c07
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e98b7b165fbd692931fddb1e7
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=181,
length=144
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021600061900
State = 0x9ca1a80e98b7b165fbd692931fddb1e7
Message-Authenticator = 0x2f0dd64255b0a8380e6a9b4871dfbdab
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 181 to 172.16.15.1 port 1027
EAP-Message =
0x0117002b190017030100207a938b37cd6503d215e4414cb1fd370240a2498818dfa70c7edc86e56bac80a1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e99b6b165fbd692931fddb1e7
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=182,
length=181
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0217002b19001703010020e7748073d57a68c015f4fe8d1273a2e1212cff4a26e245f4d62330ca0ddca5e2
State = 0x9ca1a80e99b6b165fbd692931fddb1e7
Message-Authenticator = 0xf80a05119c3182a4c5097b214aeb7c37
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 23 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - 10
[peap] Got inner identity '10'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02170007013130
server {
PEAP: Setting User-Name to 10
Sending tunneled request
EAP-Message = 0x02170007013130
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "10"
server inner-tunnel {
No such virtual server "inner-tunnel"
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 182 to 172.16.15.1 port 1027
EAP-Message =
0x0118002b19001703010020e922ee925838ed77c8b562883e7b7212c98e7180a9a9876b938d9d36de040ecd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9ab9b165fbd692931fddb1e7
Finished request 6.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=183,
length=181
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0218002b1900170301002023f62825916276e5903af5875752449fa84f8fbba2c38c0814de3f094d11738e
State = 0x9ca1a80e9ab9b165fbd692931fddb1e7
Message-Authenticator = 0x4271c9b17c0f2c3e8603ec2c6bbbc268
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 24 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Sending Access-Reject of id 183 to 172.16.15.1 port 1027
EAP-Message = 0x04180004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 7.
Going to the next request
Waking up in 4.6 seconds.
#################################################################################
and this is my radius configuration file
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
#user = freerad
#group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
#listen {
# ipaddr = 172.16.15.1
# port = 1812
# type = auth
# virtual_server = one
# }
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = before
lower_pass = before
nospace_user = before
nospace_pass = before
checkrad = ${sbindir}/checkrad
#security {
# max_attributes = 200
# reject_delay = 1
# status_server = no
#}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
mschap {
authtype = MS-CHAP
use_mppe = no
#require_encryption = yes
#require_strong = yes
# authtype = MS-CHAP
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
#$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/eap.conf
$INCLUDE ${confdir}/modules/files
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
instantiate {
}
authorize {
#preprocess
chap
mschap
#sql
files
eap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
acct_unique
}
accounting {
#detail
#sql
}
session {
#sql
}
post-auth {
#sql
}
THANK YOU WITH BEST REGARDS
AMIN AHOORA
5
10
Hi,
I want to setup FreeRadius for simple MAC based authorization.
Some documents which explain Mac-Auth refer to /etc/raddb/policy.conf
But I don't see that policy.conf in the rpm that
I installed: freeradius.x86_64 0:1.1.3-1.6.el5
Is the above package incomplete? Or do I have to create the policy.conf?
What other changes are required for Mac-auth?
Thanks for any help on this.
Cheers,
Nagaraj
2
1