Hi , i have just configured WPA with my radius working with ldap and pptp (VPN for windows client), i have uncommented peap parts and tls from eap.conf, created TLS keys, radius responses like ok, but still windows can not connect with a result unable to connect to network : here is my radius log (radiusd -X ) : Ready to process requests. rad_recv: Access-Request packet from host 10.123.42.11:3072, id=133, length=165 User-Name = "boss" NAS-IP-Address = 10.123.42.11 NAS-Port = 0 Called-Station-Id = "001cf05a2b71" Calling-Station-Id = "001b77392d05" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201000901626f7373 Message-Authenticator = 0xddd1cfc8f7271cf16ed0a682ca273fda Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "boss", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for boss radius_xlat: '(uid=boss)' radius_xlat: 'ou=Users,o=Polarion' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.labs.polarion.com:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/pki/CA/cacert.pem rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=radius,ou=Operators,o=Polarion/radius to ldap.labs.polarion.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Users,o=Polarion, with filter (uid=boss) rlm_ldap: checking if remote access for boss is allowed by dialupAccess rlm_ldap: Added password xxx in check items rlm_ldap: Added password {CRYPT}DsKv3sgtnbJs. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user boss authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 133 to 10.123.42.11 port 3072 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200160410c17d5cc4249e64748a3829d8b9ed0b0a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebeac4a30b2b6a98c367497236ace6e6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.123.42.11:3072, id=134, length=174 User-Name = "boss" NAS-IP-Address = 10.123.42.11 NAS-Port = 0 Called-Station-Id = "001cf05a2b71" Calling-Station-Id = "001b77392d05" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060319 State = 0xebeac4a30b2b6a98c367497236ace6e6 Message-Authenticator = 0x4b85c8e85bc77e7acec2836c717592e0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "boss", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for boss radius_xlat: '(uid=boss)' radius_xlat: 'ou=Users,o=Polarion' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=Polarion, with filter (uid=boss) rlm_ldap: checking if remote access for boss is allowed by dialupAccess rlm_ldap: Added password xxx in check items rlm_ldap: Added password {CRYPT}DsKv3sgtnbJs. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user boss authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 134 to 10.123.42.11 port 3072 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99b26000ca98d265024101e392f4e0f4 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.123.42.11:3072, id=135, length=283 User-Name = "boss" NAS-IP-Address = 10.123.42.11 NAS-Port = 0 Called-Station-Id = "001cf05a2b71" Calling-Station-Id = "001b77392d05" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02030073198000000069160301006401000060030147fdfe009368704b239dc707c8df342badb9125a23c4386ec5642f4dde69cc30000018002f00350005000ac009c00ac013c01400320038001300040100001f000000090007000004626f7373000a00080006001700180019000b00020100 State = 0x99b26000ca98d265024101e392f4e0f4 Message-Authenticator = 0xa32645b3a95d86f1aa2a2d2884436608 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "boss", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 115 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for boss radius_xlat: '(uid=boss)' radius_xlat: 'ou=Users,o=Polarion' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=Polarion, with filter (uid=boss) rlm_ldap: checking if remote access for boss is allowed by dialupAccess rlm_ldap: Added password xxx in check items rlm_ldap: Added password {CRYPT}DsKv3sgtnbJs. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user boss authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0064], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0658], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 135 to 10.123.42.11 port 3072 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0104040a19c0000006b5160301004a02000046030147fdfe02b1a4ae5877abf205cc38701c976083493c62b1a28c018006ee7dd1b0201e218bf0d200f9af66934c627e7b0202f7ee6f6b7e55fced25e648bfb4a82016002f0016030106580b0006540006510003343082033030820299a003020102020103300d06092a864886f70d0101050500308190310b300906035504061302435a311730150603550408130e437a6563682052657075626c69633121301f060355040a1318506f6c6172696f6e20536f6674776172652c732e722e6f2e310b3009060355040b13024954311530130603550403130c446176696420486c6163696b3121301f0609 EAP-Message = 0x2a864886f70d010901161261646d696e40706f6c6172696f6e2e636f6d301e170d3038303430313232313730325a170d3039303430313232313730325a3081ad310b300906035504061302435a311730150603550408130e437a6563682052657075626c6963310f300d0603550407130650726167756531223020060355040a1319506f6c6172696f6e20536f6674776172652c20732e722e6f2e310b3009060355040b13024954311e301c060355040313157378322e6c6162732e706f6c6172696f6e2e636f6d3123302106092a864886f70d010901161461646d696e40706f6c61646972696f6e2e636f6d30819f300d06092a864886f70d010101 EAP-Message = 0x050003818d0030818902818100b8b50c7d4c6b38eb230e0ed4620584d7c1b7b01f0a4dd722f0e6b70cb1e3f766d20ed5ffd3980048dc1fb96c575b9fcdfc00370099b7f77177b8501ef803d8958a4bc0506b5d9d68b818b0ec691687f317033178a943d7d36bb8c8c0710e0ad5a62de862cd9fb8aba2cef590f95821d06470a4260b4e9d7d120bda632e46940f0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414c5aa4697905511d2be09acdb494f7b2d71f19daf301f0603551d23041830168014a175 EAP-Message = 0xc012b7b04b01be5b898091f49e87c15edfc4300d06092a864886f70d0101050500038181005cb3b5a56589d4536935e04eadf4c4e254127edd73c49f6075a03e86c2e8273379b829cfeffcdcc8cd0124a401d306699a6968d09bd22cafd8eb1010f5bc1ce9c07c94bce99178b8602b0f64376e2da0577ad8b5ac6b17ac412830f44fabbb48456d6ff0275b7aa22db86eb3f03ee1ac31280fe2380ba922a3a4d5634e55ed82000317308203133082027ca003020102020100300d06092a864886f70d0101050500308190310b300906035504061302435a311730150603550408130e437a6563682052657075626c69633121301f060355040a1318506f EAP-Message = 0x6c6172696f6e20536f6674776172652c732e722e6f2e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x314be08f865ca960862254a0e8bbc012 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.123.42.11:3072, id=136, length=174 User-Name = "boss" NAS-IP-Address = 10.123.42.11 NAS-Port = 0 Called-Station-Id = "001cf05a2b71" Calling-Station-Id = "001b77392d05" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x314be08f865ca960862254a0e8bbc012 Message-Authenticator = 0x4ffe78dc0c0ac5700556cdc34c9d2ee7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "boss", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for boss radius_xlat: '(uid=boss)' radius_xlat: 'ou=Users,o=Polarion' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=Polarion, with filter (uid=boss) rlm_ldap: checking if remote access for boss is allowed by dialupAccess rlm_ldap: Added password xxx in check items rlm_ldap: Added password {CRYPT}DsKv3sgtnbJs. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user boss authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 136 to 10.123.42.11 port 3072 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010502bb1900310b3009060355040b13024954311530130603550403130c446176696420486c6163696b3121301f06092a864886f70d010901161261646d696e40706f6c6172696f6e2e636f6d301e170d3038303430313139323932385a170d3131303430313139323932385a308190310b300906035504061302435a311730150603550408130e437a6563682052657075626c69633121301f060355040a1318506f6c6172696f6e20536f6674776172652c732e722e6f2e310b3009060355040b13024954311530130603550403130c446176696420486c6163696b3121301f06092a864886f70d010901161261646d696e40706f6c6172696f6e2e EAP-Message = 0x636f6d30819f300d06092a864886f70d010101050003818d0030818902818100aadaaf37b6a0a71c376ba2add87d864494b8037dac4723436fcd4b018f325d5af3e0dbce665910bbc073ffc41289ace34a2cf56b2faf58765f2237b5e79ea13a211422347c56bcbd72e35dedb3d6c253892ceb778dc9a2d49c3481523b05f052880868f52dc43f639a8b3982169b3664b995728bcbaf2201bf37d33b49a82e310203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414a175c012b7b04b01be5b898091f49e87 EAP-Message = 0xc15edfc4301f0603551d23041830168014a175c012b7b04b01be5b898091f49e87c15edfc4300d06092a864886f70d01010505000381810004b58fbb98da552f9efe00e64e8ff994d9275915d868ab1dab94f8b05c6add140d9f12afc64430de6e4ea7702b20c93f9e897a44f1774092df6b2603faab1913b5b3c24ca89f63163ee9fdc4beff67d9f976c3ecf83ce30c4eedfb731eaffeb0fabf4e03cbdf122af3cb45f4f8365cfe842e236186d97a35c64cf8043678708c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x92b1436e5f136b0fcaee0bc38a032734 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.123.42.11:3072, id=137, length=174 User-Name = "boss" NAS-IP-Address = 10.123.42.11 NAS-Port = 0 Called-Station-Id = "001cf05a2b71" Calling-Station-Id = "001b77392d05" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0x92b1436e5f136b0fcaee0bc38a032734 Message-Authenticator = 0x0530f7f118530a0c8eae3d63bab94be9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "boss", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for boss radius_xlat: '(uid=boss)' radius_xlat: 'ou=Users,o=Polarion' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=Polarion, with filter (uid=boss) rlm_ldap: checking if remote access for boss is allowed by dialupAccess rlm_ldap: Added password xxx in check items rlm_ldap: Added password {CRYPT}DsKv3sgtnbJs. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user boss authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 137 to 10.123.42.11 port 3072 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd79ee44aa26729aa589e2e46d1dc189b Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 133 with timestamp 47fdfe02 Cleaning up request 1 ID 134 with timestamp 47fdfe02 Cleaning up request 2 ID 135 with timestamp 47fdfe02 Cleaning up request 3 ID 136 with timestamp 47fdfe02 Cleaning up request 4 ID 137 with timestamp 47fdfe02 Nothing to do. Sleeping until we see a request. 2008/3/30 Ivan Kalik <tnt@kalik.net>:
Since Win XP is what most people have, you probably want to use PEAP. That forms a TLS outer tunnel and then does EAP-MSCHAPv2 in the inner tunnel. Since you already have mschap (and ldap) working, there is very little to do. If you have 1.1.x you need to create certificates and configure tls and peap sections in eap.conf. With 2.0.x you probably don't need to do anything at all - it will "just work".
Ivan Kalik Kalik Informatika ISP
Dana 30/3/2008, "David Hláčik" <david@hlacik.eu> piše:
Hi i have freeradius mschap ldap working configuration - i am using it for pptpd (VPN server) to authentificate against freeradius with ldap . Windows VPN client can connect to our company network and use it.
Next i want to add user/password auth to our WIFI (based on Dlink AP - with radius support). We are currently using wpa-preshared key. i want to use wpa enterprise with ldap authentification (providing username and password) without need to install any certificate on windows.
First to make a clear - how do i achieve it? --- i mean exactly which protocol i need to use and how it works (some shortcut to such howto)
How do i arrange to use same freeradius for currently working VPN and for my plan to make wpa enterprise.
Thanks in advance!
David
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html