PEAP etc use inner-tunnel, radtest is just a PAP or MSCHAP method, without any EAP so it doesnt use inner-tunnel....and therefore will use whatever auth methods you only have in the outer phase (in 'default' server with a default install) - you could try using eg eapol_test (part of wpa_supplicant) - or, use radtest against the direct inner-tunnel listener - read the inner-tunnel config..it has a listen on localhost 18121 or 18120 or such.... direct your radtest to that. note that this config wont work if you have real external users (ie users that you proxy off to a remote RADIUS server - eg in eduroam - for that you need to also look at setting VLANs in the post-auth outer phase (or dont assign a VLAN and hope your kit drops people correctly onto a predefined default vlan. alan On 28 April 2017 at 22:06, Michel Villeneuve <Michel.Villeneuve@univ-brest.fr> wrote:
Hi,
I use freeradius-3.0.12 on centos 7.3 with an openldap 2.4 and a samba attribute EAP / PEAP authentication MSCHAPV2.
I want to authentificate and authorize users according to their attribute on the LDAP. I created an attribute LDAP-Desc mapped with the field eduPersonPrimaryAffilation on my LDAP. I want to put user on specific VLAN if they are students, employee .... or outer people.
For that I use in the inner-tunnel the capabilities to return AVP like Tunnel-Private-Group-Id with the good value .
It's work very well, for internal and also for external people. I tested also the realm value in the default server and I put also the good Tunnel-Private-Group-Id depending the value of realm. It's work with device like smartphone, pc ... and also with the command.
eapol_test -c afile -p1812 -smysecret -r1
Everything seems good but not when I use radtest command
I can't authentificate internal or external people with the test command radtest
[root@freeradius-3-a test]# radtest 'teststudent' 'a1z2e3r4*' localhost 1812 mysecret
Sent Access-Request Id 154 from 0.0.0.0:54585 to 127.0.0.1:1812 length 81 User-Name = "teststudent" User-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "a1z2e3r4*" Received Access-Reject Id 154 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
nor
radtest -t mschap 'teststudent' 'a1z2e3r4*' 127.0.0.1:18120 1 mysecret
I got ot@freeradius-3-a test]# radtest -t mschap 'teststudent' 'secret' 127.0.0.1:18120 1 mysecret Sent Access-Request Id 129 from 0.0.0.0:34088 to 127.0.0.1:18120 length 137 User-Name = "teststudent" MS-CHAP-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "secret" MS-CHAP-Challenge = 0x3a7dd0c59a922170 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000ae872e407e206d5579b1515fbf4e92f594e5c5e66739c6e7 Received Access-Reject Id 129 from 127.0.0.1:18120 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Perhaps the problem comes from /etc/raddb/mods-enabled/mschap files and I tried differents values with no good results.
mschap { with_ntdomain_hack = no #authtype = MS-CHAP allow_retry = yes use_mppe=yes require_encryption = yes require_strong = yes ..... I am not sure about the good values needing for this section. I would like to have an advice before using this configuration in production environment.
here a debug with a Successful results
Thanks in advance for you help
PS: sorry for my english I hope it's comprehensible. -- Michel Villeneuve Tel 02 98 01 71 61
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html