Thanks for all advices. So, I decide to change my course. Now, I am using default radiusd.conf. I have installed hotfix for supplicant Windows XP SP2. I have also installed Certificate on supplicant based. Btw, I am using Linksys WAP4400N as my NAS access point now I still got this clueless log messages. Please, help me. rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3 ++[checkval] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for unsupported type 25 rlm_eap: No common EAP types found. rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> PIDEL-3C5B30E9C\Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 3 to 10.0.0.2 port 1027 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 thanks in advance. On Fri, Aug 8, 2008 at 2:09 PM, Alan DeKok <aland@deployingradius.com> wrote:
Ramot Lubis wrote:
Yes, I aim not to install hotfix in Windows XP client.
Good luck.
My main purpose is to check valid MAC address of every Wireless Device (with Windows XP SP2). Based on "radiusd -X" log in my previous email, I tried to conclude that even in Authorization phase, calling-station-id has been validated to be match with MAC address data in SQL db. In this case, I don't need further Authentication phase.
That's not how EAP-TLS works.
However, I dont know how to configure radius server to ignore authentication phase. Is there any idea for me to follow?
If you only need to do MAC authentication, see MAC authentication bypass, which is in Cisco switches.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Aug 8, 2008 at 2:13 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius.
there is no hotfix for EAP/TLS compatability. there ARE 2 important windows hotfixes for wireless supplicant bahaviour etc.
is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept.
you cant. if you're trying to use PEAP than you must follow all the specifications and return the correct stuff when and as needed. you cant just throw back an accept. if you want a noddy poor wireless infrastructure then just go for WPa-PSK or even a MAC-based captive portal
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html