I would like to test the security feature 802.1x EAP-TLS of our product. I set up FreeRadius and used the demo certificates. However, the server keeps rejecting access.

I noticed that the server complains about <no User Password attribute>, but the wireless device (supplicant) does not have a place for me to enter the password, only the login. So how to I configure FreeRadius to ignore the password attribute? Please help.

 

I have included the debug log and the user.conf file.

 

Here is the log when run in debug mode:

 

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.254.26:1026, id=4, length=208

        Message-Authenticator = 0x9075ab275b5d9dca389e8646e992305e

        Service-Type = Framed-User

        User-Name = "FreeRADIUS.net-Client"

        Framed-MTU = 1488

        Called-Station-Id = "00-0B-6B-85-C3-68:radius"

        Calling-Station-Id = "00-0B-6B-84-44-C7"

        NAS-Identifier = "TEst"

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x0204001a01467265655241444955532e6e65742d436c69656e74

        NAS-IP-Address = 192.168.254.26

        NAS-Port = 1

        NAS-Port-Id = "STA port # 1"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

radius_xlat:  '../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.log'

rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.

log

  modcall[authorize]: module "auth_log" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  modcall[authorize]: module "mschap" returns noop for request 0

    rlm_realm: No '@' in User-Name = "FreeRADIUS.net-Client", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 0

  rlm_eap: EAP packet type response id 4 length 26

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 0

    users: Matched entry FreeRADIUS.net-Client at line 95

  modcall[authorize]: module "files" returns ok for request 0

rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.

  modcall[authorize]: module "pap" returns noop for request 0

modcall: leaving group authorize (returns updated) for request 0

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 0

  rlm_eap: EAP Identity

  rlm_eap: processing type tls

 rlm_eap_tls: Requiring client certificate

  rlm_eap_tls: Initiate

  rlm_eap_tls: Start returned 1

  modcall[authenticate]: module "eap" returns handled for request 0

modcall: leaving group authenticate (returns handled) for request 0

Sending Access-Challenge of id 4 to 192.168.254.26 port 1026

        EAP-Message = 0x010500060d20

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x81d7452a456ad519df0020eba90a201b

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 192.168.254.26:1026, id=5, length=206

        Message-Authenticator = 0xb6900d65edf9c188d8eb45a273d4ceb0

        Service-Type = Framed-User

        User-Name = "FreeRADIUS.net-Client"

        Framed-MTU = 1488

        State = 0x81d7452a456ad519df0020eba90a201b

        Called-Station-Id = "00-0B-6B-85-C3-68:radius"

        Calling-Station-Id = "00-0B-6B-84-44-C7"

        NAS-Identifier = "TEst"

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x020500060300

        NAS-IP-Address = 192.168.254.26

        NAS-Port = 1

        NAS-Port-Id = "STA port # 1"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

radius_xlat:  '../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.log'

rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/192.168.254.26/auth-detail-20080522.

log

  modcall[authorize]: module "auth_log" returns ok for request 1

  modcall[authorize]: module "chap" returns noop for request 1

  modcall[authorize]: module "mschap" returns noop for request 1

    rlm_realm: No '@' in User-Name = "FreeRADIUS.net-Client", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 1

  rlm_eap: EAP packet type response id 5 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 1

    users: Matched entry FreeRADIUS.net-Client at line 95

  modcall[authorize]: module "files" returns ok for request 1

rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.

  modcall[authorize]: module "pap" returns noop for request 1

modcall: leaving group authorize (returns updated) for request 1

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 1

  rlm_eap: Request found, released from the list

  rlm_eap: EAP NAK

 rlm_eap: NAK asked for bad type 0

  rlm_eap: Failed in EAP select

  modcall[authenticate]: module "eap" returns invalid for request 1

modcall: leaving group authenticate (returns invalid) for request 1

auth: Failed to validate the user.

Login incorrect: [FreeRADIUS.net-Client/<no User-Password attribute>] (from client radius port 1 cli 00-0B-6B-84-44-C7)

Delaying request 1 for 1 seconds

Finished request 1

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 192.168.254.26:1026, id=5, length=206

Sending Access-Reject of id 5 to 192.168.254.26 port 1026

        EAP-Message = 0x04050004

        Message-Authenticator = 0x00000000000000000000000000000000

--- Walking the entire request list ---

 

 

 

 

##########This is the user.conf#################

….

 

 

############# RFC3580 ################

## Also the "eap.conf" MUST be modified to include the follow line:

## "use_tunneled_reply = yes"

## the default is "use_tunneled_reply = no"

## this allow the "Tunnel*" AV's to be passed outside the eap tunnel

## otherwise the switch will NOT see the VLAN to place the port into

#### Comments added by Jeff Reilly ####

 

 

testuser User-Password == "testpw"

 

#FreeRADIUS.net-Client         User-Password == "demo"

 

rfc3580            User-Password == "demo"

                        Tunnel-Type = "VLAN",

                        Tunnel-Medium-Type = "IEEE-802",

                        Tunnel-Private-Group-Id = "1",

                        Reply-Message = "Hello, %u"

 

FreeRADIUS.net-Client           Auth-Type := EAP      

 

                       

                       

#

# This is a complete entry for "steve". Note that there is no Fall-Through

# entry so that no DEFAULT entry will be used, and the user will NOT

# get any attributes in addition to the ones listed here.

#

#steve  Auth-Type := Local, User-Password == "testing"

#          Service-Type = Framed-User,

#          Framed-Protocol = PPP,

#          Framed-IP-Address = 172.16.3.33,

#          Framed-IP-Netmask = 255.255.255.0,

#          Framed-Routing = Broadcast-Listen,

#          Framed-Filter-Id = "std.ppp",

#          Framed-MTU = 1500,

#          Framed-Compression = Van-Jacobsen-TCP-IP

 

#

# This is an entry for a user with a space in their name.

# Note the double quotes surrounding the name.

#

#"John Doe"     Auth-Type := Local, User-Password == "hello"

#                      Reply-Message = "Hello, %u"

 

#

# Dial user back and telnet to the default host for that port

#

#Deg    Auth-Type := Local, User-Password == "ge55ged"

#          Service-Type = Callback-Login-User,

#          Login-IP-Host = 0.0.0.0,

#          Callback-Number = "9,5551212",

#          Login-Service = Telnet,

#          Login-TCP-Port = Telnet

 

#

# Another complete entry. After the user "dialbk" has logged in, the

# connection will be broken and the user will be dialed back after which

# he will get a connection to the host "timeshare1".

#

#dialbk Auth-Type := Local, User-Password == "callme"

#          Service-Type = Callback-Login-User,

#          Login-IP-Host = timeshare1,

#          Login-Service = PortMaster,

#          Callback-Number = "9,1-800-555-1212"

 

#

# user "swilson" will only get a static IP number if he logs in with

# a framed protocol on a terminal server in Alphen (see the huntgroups file).

#

# Note that by setting "Fall-Through", other attributes will be added from

# the following DEFAULT entries

#

#swilson           Service-Type == Framed-User, Huntgroup-Name == "alphen"

#                      Framed-IP-Address = 192.168.1.65,

#                      Fall-Through = Yes

 

#

# If the user logs in as 'username.shell', then authenticate them

# against the system database, give them shell access, and stop processing

# the rest of the file.

#

#DEFAULT     Suffix == ".shell", Auth-Type := System

#                      Service-Type = Login-User,

#                      Login-Service = Telnet,

#                      Login-IP-Host = your.shell.machine

 

 

#

# The rest of this file contains the several DEFAULT entries.

# DEFAULT entries match with all login names.

# Note that DEFAULT entries can also Fall-Through (see first entry).

# A name-value pair from a DEFAULT entry will _NEVER_ override

# an already existing name-value pair.

#

 

#

# First setup all accounts to be checked against the UNIX /etc/passwd.

# (Unless a password was already given earlier in this file).

#

DEFAULT       Auth-Type = System

            Fall-Through = 1

 

#

# Set up different IP address pools for the terminal servers.

# Note that the "+" behind the IP address means that this is the "base"

# IP address. The Port-Id (S0, S1 etc) will be added to it.

#

#DEFAULT     Service-Type == Framed-User, Huntgroup-Name == "alphen"

#                      Framed-IP-Address = 192.168.1.32+,

#                      Fall-Through = Yes

 

#DEFAULT     Service-Type == Framed-User, Huntgroup-Name == "delft"

#                      Framed-IP-Address = 192.168.2.32+,

#                      Fall-Through = Yes

 

#

# Defaults for all framed connections.

#

DEFAULT       Service-Type == Framed-User

            Framed-IP-Address = 255.255.255.254,

            Framed-MTU = 576,

            Service-Type = Framed-User,

            Fall-Through = No

 

#

# Default for PPP: dynamic IP address, PPP mode, VJ-compression.

# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected

#          by the terminal server in which case there may not be a "P" suffix.

#          The terminal server sends "Framed-Protocol = PPP" for auto PPP.

#

DEFAULT       Framed-Protocol == PPP

            Framed-Protocol = PPP,

            Framed-Compression = Van-Jacobson-TCP-IP

 

#

# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.

#

DEFAULT       Hint == "CSLIP"

            Framed-Protocol = SLIP,

            Framed-Compression = Van-Jacobson-TCP-IP

 

#

# Default for SLIP: dynamic IP address, SLIP mode.

#

DEFAULT       Hint == "SLIP"

            Framed-Protocol = SLIP

 

#

# Last default: rlogin to our main server.

#

#DEFAULT

#          Service-Type = Login-User,

#          Login-Service = Rlogin,

#          Login-IP-Host = shellbox.ispdomain.com

 

# #

# # Last default: shell on the local terminal server.

# #

# DEFAULT

#          Service-Type = Shell-User

 

# On no match, the user is denied access.