Thanks for the replies. I'm went back to using the default radiusd.conf, modified the client file to match my client IP subnet. However it seems that there is still a certificate mismatch. I built the cert in /etc/radddb/certs. Any ideas? I read that the certficate generated using the Makefile works with most OS'es. Client is running Windows 7. rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=211, length=156 User-Name = "testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "24-B6-57-D3-2C-8C" Calling-Station-Id = "5C-B9-01-B2-4A-15" EAP-Message = 0x0201000d017465737475736572 Message-Authenticator = 0x991bd0b24878be987307b9720dd4c9ed NAS-Port-Type = Ethernet NAS-Port = 50112 NAS-Port-Id = "GigabitEthernet1/0/12" NAS-IP-Address = 10.1.2.12 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry testuser at line 93 [files] expand: Hello, %{User-Name} -> Hello, testuser ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 211 to 10.1.2.12 port 1645 Reply-Message = "Hello, testuser" EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xadf0c5e3adf2dcafb375283b0a488eb1 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=212, length=167 User-Name = "testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "24-B6-57-D3-2C-8C" Calling-Station-Id = "5C-B9-01-B2-4A-15" EAP-Message = 0x020200060311 Message-Authenticator = 0x54788e58614c18954ae1c9fe3fdaa611 NAS-Port-Type = Ethernet NAS-Port = 50112 NAS-Port-Id = "GigabitEthernet1/0/12" State = 0xadf0c5e3adf2dcafb375283b0a488eb1 NAS-IP-Address = 10.1.2.12 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry testuser at line 93 [files] expand: Hello, %{User-Name} -> Hello, testuser ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/leap [eap] processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated ++[eap] returns handled Sending Access-Challenge of id 212 to 10.1.2.12 port 1645 Reply-Message = "Hello, testuser" EAP-Message = 0x01030018110100087a19e6f0d4315cd47465737475736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xadf0c5e3acf3d4afb375283b0a488eb1 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=213, length=201 User-Name = "testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "24-B6-57-D3-2C-8C" Calling-Station-Id = "5C-B9-01-B2-4A-15" EAP-Message = 0x020300281101001866e12f1d13159a30833646856e73271313b09d0bf85f645e7465737475 736572 Message-Authenticator = 0x22cf06518157775f54c2ecaa09311ee1 NAS-Port-Type = Ethernet NAS-Port = 50112 NAS-Port-Id = "GigabitEthernet1/0/12" State = 0xadf0c5e3acf3d4afb375283b0a488eb1 NAS-IP-Address = 10.1.2.12 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 40 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry testuser at line 93 [files] expand: Hello, %{User-Name} -> Hello, testuser ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/leap [eap] processing type leap rlm_eap_leap: Stage 4 rlm_eap_leap: NtChallengeResponse from AP is valid [eap] Underlying EAP-Type set EAP ID to 4 ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Challenge of id 213 to 10.1.2.12 port 1645 Reply-Message = "Hello, testuser" EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xadf0c5e3aff4d4afb375283b0a488eb1 Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 211 with timestamp +10517 Cleaning up request 7 ID 212 with timestamp +10517 Cleaning up request 8 ID 213 with timestamp +10517 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xadf0c5e3aff4d4af did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. Regards Preyas -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+p.kamath=cornet.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, August 06, 2015 9:29 AM To: FreeRadius users mailing list Subject: Re: Switch sends EAP-Fail after Radius Access-Accept Hi,
[preyask@localhost controller-ned]$ cat /etc/raddb/small.conf listen { type = auth ipaddr = * port = 1812 } client 10.1.2.0/24 { # allow packets from 10.1.2.0/24 secret = testing123 shortname = 10.1.2.12 } modules { # We don't use any modules } authorize { # return Access-Accept for PAP and CHAP update control { Auth-Type := Accept } }
yeh. that wont work....start with the default configuration and THEN start slimming it down big hints - you are using EAP thus you ARE using modules....in fact ALL work in FreeRADIUS uses modules. you are doing EAP - therefore the request needs to go into a virtual server that is called in the eap.conf configuration. default in virtual-server. I'll repeat. stop what you are currently doing, install the default config, add your client and THEN start work....once its working and you get to know what each module does and how the server works, THEN reduce the configuration alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html