From what I remember : The “correct” format is to put all the check items on the first line of a given entry in the users file. But, in FreeRADIUS 2.x, if you do, EAP-SIM (and probably all EAP types, though I did not test) will not work. So you have to put them in the “reply” list (ie on multiple lines in the users file). And ignore the warnings… In FreeRADIUS 3.x, this has been fixed, so you can comply with the warning, and put all check items on first line of entry. De : freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org] De la part de rafa alfurqan Envoyé : mardi 5 août 2014 04:02 À : freeradius-users@lists.freeradius.org Objet : Fwd: warnings on users file Hi all, again i've tried users configuration for a few times. i always failed when i'm trying these formats <mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> EAP-Type := SIM EAP-Sim-Rand1 = 0xBDA21CB60EF945da9A8BA56667B49027, EAP-Sim-SRES1 = 0x04d995bc, EAP-Sim-KC1 = 0xBBe0a7c68Aea1c00, EAP-Sim-Rand2 = 0x621F1DAC915B4dbf8A0842E88B97BBBE, EAP-Sim-SRES2 = 0xD9b5f235, EAP-Sim-KC2 = 0x33d1ae11914c4800, EAP-Sim-Rand3 = 0x6AD4284810DD42ca8A60A410F7746820, EAP-Sim-SRES3 = 0xB29eb39b, EAP-Sim-KC3 = 0x1E62ae2aA0a66400 but if i tried based on log, [/etc/freeradius/users]:204 WARNING! Check item "EAP-Sim-Rand1" found in reply item list for user "1510101425520064@wlan.mnc101.mcc510.3gppnetwork.org<mailto:1510101425520064@wlan.mnc101.mcc510.3gppnetwork.org>". This attribute MUST go on the first line with the other check items so i do in one line, 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> EAP-Sim-Rand1 = 0xBDA21CB60EF945da9A8BA56667B49027, EAP-Sim-SRES1 = 0x04d995bc, EAP-Sim-KC1 = 0xBBe0a7c68Aea1c00, EAP-Sim-Rand2 = 0x621F1DAC915B4dbf8A0842E88B97BBBE, EAP-Sim-SRES2 = 0xD9b5f235, EAP-Sim-KC2 = 0x33d1ae11914c4800, EAP-Sim-Rand3 = 0x6AD4284810DD42ca8A60A410F7746820, EAP-Sim-SRES3 = 0xB29eb39b, EAP-Sim-KC3 = 0x1E62ae2aA0a66400 i do the same when i follow this instruction http://lists.freeradius.org/pipermail/freeradius-users/2014-March/071123.htm... and the result is the warning is gone! so, it's okay to use that format? honestly i really new with freeradius, i'll appreciate for any helps. it's my log realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.0/24<http://192.168.1.0/24> { require_message_authenticator = no secret = "eap-sim" shortname = "eap-sim" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file �?x�??? modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_sim_files Module: Instantiating module "sim_files" from file /etc/freeradius/modules/sim_files sim_files { simtriplets = "/etc/freeradius/simtriplets.dat" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 44186 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=151, length=259 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000038013135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xf77502a9d1ebb44e40a997fb52f4ad2a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" for User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" ++[suffix] = noop rlm_sim_files: authorized user/imsi 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] = ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 127 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 151 to 192.168.1.1 port 2049 EAP-Message = 0x017f0014120a00000f0200020001000011010100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7659c0b27626d231a8579b0cb8f3e694 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=152, length=303 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x027f0058120a000007050000b7a1d8dbcbb4ebc3626016889cbfc212100100010e0e00333135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 State = 0x7659c0b27626d231a8579b0cb8f3e694 Message-Authenticator = 0x946a59632d3b96d1ba18ad68545b1eb6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" for User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" ++[suffix] = noop rlm_sim_files: authorized user/imsi 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] = ok [eap] EAP packet type response id 127 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++> EAP-sim decoded packet: User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x027f0058120a000007050000b7a1d8dbcbb4ebc3626016889cbfc212100100010e0e00333135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 State = 0x7659c0b27626d231a8579b0cb8f3e694 Message-Authenticator = 0x946a59632d3b96d1ba18ad68545b1eb6 EAP-Type = SIM EAP-Sim-Subtype = Start EAP-Sim-NONCE_MT = 0x0000b7a1d8dbcbb4ebc3626016889cbfc212 EAP-Sim-SELECTED_VERSION = 0x0001 EAP-Sim-IDENTITY = 0x3135313030313934363332383631363840776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 [eap] Underlying EAP-Type set EAP ID to 128 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 152 to 192.168.1.1 port 2049 EAP-Message = 0x01800050120b0000010d0000bda21cb60ef945da9a8ba56667b49027621f1dac915b4dbf8a0842e88b97bbbe6ad4284810dd42ca8a60a410f77468200b05000066269155d778ece4a44df2898acaa745 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7659c0b277d9d231a8579b0cb8f3e694 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 2049, id=153, length=243 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = "004f62248f98" Calling-Station-Id = "70aab2eb15af" NAS-Identifier = "Realtek Access Point. 8186" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0280001c120b00000b0500004e314600d7dd8c432d922fe2e2f85e45 State = 0x7659c0b277d9d231a8579b0cb8f3e694 Message-Authenticator = 0xe28cce59df602509a3c3cfe9a99c5693 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" for User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" [suffix] No such realm "wlan.mnc001.mcc510.3gppnetwork.org<http://wlan.mnc001.mcc510.3gppnetwork.org>" ++[suffix] = noop rlm_sim_files: authorized user/imsi 1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org> rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] = ok [eap] EAP packet type response id 128 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim MAC check succeed [eap] Underlying EAP-Type set EAP ID to 129 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 153 to 192.168.1.1 port 2049 MS-MPPE-Recv-Key = 0x6e3afcc0cada4349d9e50c5b059f09a8561950974fc7a91ab4b085927b88ec4c MS-MPPE-Send-Key = 0xa1642e8992cf8c5937455aef07338c3b112ebbfcde037305d185b5367de606b0 EAP-Message = 0x03810004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org<mailto:1510019463286168@wlan.mnc001.mcc510.3gppnetwork.org>" Finished request 2. Going to the next request Waking up in 3.9 seconds. Cleaning up request 0 ID 151 with timestamp +10 Cleaning up request 1 ID 152 with timestamp +11 Waking up in 1.0 seconds. Cleaning up request 2 ID 153 with timestamp +12 Ready to process requests. thank you This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.