Alan DeKok wrote:
jehan procaccia wrote:
hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file
005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E"
Delete the "Auth-Type := Local". It doesn't do anything useful.
OK done
First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and "" or no "" around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least
The example in the FAQ and in the "users" file do NOT have Auth-Type. They DO use Cleartext-Password, and they DO use ":=".
All of the third-party web sites, FAQs, etc. are 2-3 years out of date, and are wrong.
Indeed I was "googleling" for exemples ...
[chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication
That says it doesn't have the Cleartext-Password.
...
[files] users: Matched entry DEFAULT at line 172
So... what's at line 172? Where is the "users" file entry you added?
line 172 was DEFAULT Framed-Protocol == PPP I moved Up my user entry at the top of the user files and now it seems to work :-) Athough I didn't set any chap password anywhere in freeradius !? (perhaps because of this from http://wiki.freeradius.org/HP /Note: A hashed version of the SRC address is also available in the CHAP-Password attribute.) ?/ rad_recv: Access-Request packet from host 157.159.7.138 port 1125, id=13, length=195 Framed-MTU = 1480 NAS-IP-Address = 157.159.7.138 NAS-Identifier = "Sw-C01" User-Name = "005004B7252E" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 26 NAS-Port-Type = Ethernet NAS-Port-Id = "26" Called-Station-Id = "00-1c-2e-b4-f2-66" Calling-Station-Id = "00-50-04-b7-25-2e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x0ccbeba82a75e0762efbf021c72bd5c45a Message-Authenticator = 0x3eae4885821478bc7bbcf7e45618c453 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.7.138/auth-detail-20090429 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/157.159.7.138/auth-detail-20090429 [auth_log] expand: %t -> Wed Apr 29 19:05:06 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry 005004B7252E at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Using clear text password "005004B7252E" for user 005004B7252E authentication. [chap] chap user 005004B7252E authenticated succesfully ++[chap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 13 to 157.159.7.138 port 1125 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "15" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 13 with timestamp +37 Ready to process requests. My PC client isn't is the Vlan15 though .. it's getting late here in france ... I'll continue tomorrow ... thanks .
The FAQ says to add it at the TOP of the "users" file. That works best for testing.
Alan DeKok.