Try by adding jwinius Cleartext-Password := xxx On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <jwinius@umrk.nl> wrote:
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used "LongStringNumberOne" for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet }
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to:
default_eap_type = ttls private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/**default and /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the "pam" entry in section "authenticate".
7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified:
@include common-auth @include common-account @include common-password @include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows:
Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID Broadcast Enable Network Configuration Bridged
Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with "freeradius -X", my client's authentication attempts get rejected and I get the following output from the freeradius server:
==============================**===========
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** !!!!!!!!!! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!** !!!!!!!!!! User-Name = "jwinius" NAS-IP-Address = 192.168.2.2 Called-Station-Id = "0014bf72f676" Calling-Station-Id = "00110a81fb2b" NAS-Identifier = "0014bf72f676" NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c63**7572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7** 051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "jwinius" State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/ inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x0000000000000000000000000000**0000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user jwinius [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 0 to 192.168.2.2 port 1025 EAP-Message = 0x04070004 Message-Authenticator = 0x0000000000000000000000000000**0000
==============================**===========
Any idea what I'm doing wrong?
Thanks,
Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>