lists.freeradius.org
Sign In Sign Up
Manage this list Sign In Sign Up

Keyboard Shortcuts

Thread View

  • j: Next unread message
  • k: Previous unread message
  • j a: Jump to all threads
  • j l: Jump to MailingList overview
thread

Saman Kwok

1 Apr 2010 1 Apr '10
10:42 a.m.

Hi ,I am happing problem that I couldn't resolve alone. If anyone in the list could help me will be appreciated. I have access point EnGenius 2610 and I run freeradius under RHEL5.RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to Wifi Client with IP 192.168.0.1 (Client is Windows XP). Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP. when I run radiusd -X everytime seem fine. Ready to process requests.rad_recv: Access-Request packet from host 192.168.0.3 port 1024, id=4, length=194 User-Name = "GRACELIA-4E4DD9\\gracelia" NAS-IP-Address = 192.168.0.3 NAS-Port = 0 Called-Station-Id = "00-02-6C-5B-0A-A3:mars_net" Calling-Station-Id = "00-80-A8-C1-C0-A3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020d001d0147524143454c49412d3445344444395c67726163656c6961 Message-Authenticator = 0x5ad14aa7bbf1f169e0d16b594a0888ea+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = "GRACELIA-4E4DD9\gracelia", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 13 length 29[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[unix] returns notfound[files] users: Matched entry GRACELIA-4E4DD9\gracelia at line 94[files] expand: Hello, %{User-Name} -> Hello, GRACELIA-4E4DD9\gracelia++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] Found existing Auth-Type, not changing it.++[pap] returns noopFound Auth-Type = EAP+- entering group authenticate {...}[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] returns handledSending Access-Challenge of id 4 to 192.168.0.3 port 1024 Reply-Message = "Hello, GRACELIA-4E4DD9\\gracelia" EAP-Message = 0x010e00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b2c209a1b2239d39cc5bd6f4ac49d46Finished request 18.Going to the next requestWaking up in 4.9 seconds.Cleaning up request 18 ID 4 with timestamp +307Ready to process requests. But it keep looping Access-Challege and Access-Request without Access-Reject or authenticated. I believe the certificate already have OID. When I check with Access Point Log..here the output Jan 1 00:17:35 (none) daemon.debug setup.cgi[465]: main: process ./html/CM_SystemStatus.htm takes 2300 ms----------------------------Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: aborting authenticationJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: unauthorizing portJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: received EAP packet (code=2 id=54 len=29) from STA: EAP Response-Identity (1)Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: STA identity 'GRACELIA-4E4DD9\gracelia'Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication serverJan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:c3 RADIUS: Resending RADIUS message (id=28)Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 1 secondsJan 1 00:17:45 (none) daemon.debug setup.cgi[491]: cgi_setup::main()------------------>HTTP_REFERER=http://192.168.0.3/setup.cgi?reqfile=./html/left.htm if I try to bind to eth1 or IP-Address, the server not receipt any request. Here the client.conf setting # -*- text -*-#### clients.conf -- client configuration directives#### $Id$ ######################################################################### Define RADIUS clients (usually a NAS, Access Point, etc.). ## Defines a RADIUS client.## '127.0.0.1' is another name for 'localhost'. It is enabled by default,# to allow testing of the server after an initial installation. If you# are not going to be permitting RADIUS queries from localhost, we suggest# that you delete, or comment out, this entry.## ## Each client has a "short name" that is used to distinguish it from# other clients.## In version 1.x, the string after the word "client" was the IP# address of the client. In 2.0, the IP address is configured via# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x# format is still accepted.#client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 192.168.1.4 # OR, you can use an IPv6 address, but not both # at the same time.# ipv6addr = :: # any. ::1 == localhost # # A note on DNS: We STRONGLY recommend using IP addresses # rather than host names. Using host names means that the # server will do DNS lookups when it starts, making it # dependent on DNS. i.e. If anything goes wrong with DNS, # the server won't start! # # The server also looks up the IP address from DNS once, and # only once, when it starts. If the DNS record is later # updated, the server WILL NOT see that update. # # One client definition can be applied to an entire network. # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and # "netmask = 8" # # If not specified, the default netmask is 32 (i.e. /32) # # We do NOT recommend using anything other than 32. There # are usually other, better ways to acheive the same goal. # Using netmasks of other than 32 can cause security issues. # # You can specify overlapping networks (127/8 and 127.0/16) # In that case, the smallest possible network will be used # as the "best match" for the client. # # Clients can also be defined dynamically at run time, based # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, # etc. # See raddb/sites-available/dynamic-clients for details. # # netmask = 32 # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 8k characters in length. # # Control codes can be entered vi octal encoding, # e.g. "\101\102" == "AB" # Quotation marks can be entered by escaping them, # e.g. "foo\"bar" # # A note on security: The security of the RADIUS protocol # depends COMPLETELY on this secret! We recommend using a # shared secret that is composed of: # # upper case letters # lower case letters # numbers # # And is at LEAST 8 characters long, preferably 16 characters in # length. The secret MUST be random, and should not be words, # phrase, or anything else that is recognizable. # # The default secret below is only for testing, and should # not be used in any real environment. # secret = testing123 # # Old-style clients do not send a Message-Authenticator # in an Access-Request. RFC 5080 suggests that all clients # SHOULD include it in an Access-Request. The configuration # item below allows the server to require it. If a client # is required to include a Message-Authenticator and it does # not, then the packet will be silently discarded. # # allowed values: yes, no require_message_authenticator = no # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # # It is accepted for compatibility with 1.x, but it is no # longer necessary in 2.0 ## shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = other # localhost isn't usually a NAS... # # The following two configurations are for future use. # The 'naspasswd' file is currently used to store the NAS # login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. ## login = !root# password = someadminpas # # As of 2.0, clients can also be tied to a virtual server. # This is done by setting the "virtual_server" configuration # item, as in the example below. ## virtual_server = home1} # IPv6 Client#client ::1 {# secret = testing123# shortname = localhost#}## All IPv6 Site-local clients#client fe80::/16 {# secret = testing123# shortname = localhost#} #client some.host.org {# secret = testing123# shortname = localhost#} ## You can now specify one secret for a network of clients.# When a client request comes in, the BEST match is chosen.# i.e. The entry from the smallest possible network.#client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1}##client 192.168.0.0/16 {# secret = testing123-2# shortname = private-network-2#} #client 10.10.10.10 {# # secret and password are mapped through the "secrets" file.# secret = testing123# shortname = liv1# # the following three fields are optional, but may be used by# # checkrad.pl for simultaneous usage checks# nastype = livingston# login = !root# password = someadminpas#} ######################################################################### Per-socket client lists. The configuration entries are exactly# the same as above, but they are nested inside of a section.## You can have as many per-socket client lists as you have "listen"# sections, or you can re-use a list among multiple "listen" sections.## Un-comment this section, and edit a "listen" section to add:# "clients = per_socket_clients". That IP address/port combination# will then accept ONLY the clients listed in this section.##clients per_socket_clients {# client 192.168.3.4 {# secret = testing123# }#} Am I wrongly configured in client.conf hence NAS-port = 0. _________________________________________________________________ Looking for a new home? With all the latest places, searching has never been easier. http://clk.atdmt.com/NMN/go/157631292/direct/01/

Attachments:

  • attachment.html (text/html — 24.9 KB)
0 0
Reply
Sign in to reply online Use email software

Back to the thread

Back to the list

HyperKitty Powered by HyperKitty version 1.3.12.