Hi ,
I am happing problem that I couldn't resolve alone. 
If anyone in the list could help me will be appreciated.

I have access point EnGenius 2610 and I run freeradius under RHEL5.
RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to Wifi Client with IP 192.168.0.1 (Client is Windows XP).

Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP.

when I run radiusd -X everytime seem fine.

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.3 port 1024, id=4, length=194
        User-Name = "GRACELIA-4E4DD9\\gracelia"
        NAS-IP-Address = 192.168.0.3
        NAS-Port = 0
        Called-Station-Id = "00-02-6C-5B-0A-A3:mars_net"
        Calling-Station-Id = "00-80-A8-C1-C0-A3"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020d001d0147524143454c49412d3445344444395c67726163656c6961
        Message-Authenticator = 0x5ad14aa7bbf1f169e0d16b594a0888ea
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "GRACELIA-4E4DD9\gracelia", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 13 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry GRACELIA-4E4DD9\gracelia at line 94
[files]         expand: Hello, %{User-Name} -> Hello, GRACELIA-4E4DD9\gracelia
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.0.3 port 1024
        Reply-Message = "Hello, GRACELIA-4E4DD9\\gracelia"
        EAP-Message = 0x010e00061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1b2c209a1b2239d39cc5bd6f4ac49d46
Finished request 18.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 18 ID 4 with timestamp +307
Ready to process requests.

But it keep looping Access-Challege and Access-Request without Access-Reject or authenticated. I believe the certificate already have OID.

When I check with Access Point Log..here the output

Jan  1 00:17:35 (none) daemon.debug setup.cgi[465]: main: process ./html/CM_SystemStatus.htm takes 2300 ms----------------------------
Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: aborting authentication
Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: unauthorizing port
Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: received EAP packet (code=2 id=54 len=29) from STA: EAP Response-Identity (1)
Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: STA identity 'GRACELIA-4E4DD9\gracelia'
Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication server
Jan  1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds 
Jan  1 00:17:45 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:c3 RADIUS: Resending RADIUS message (id=28)
Jan  1 00:17:45 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 1 seconds
Jan  1 00:17:45 (none) daemon.debug setup.cgi[491]: cgi_setup::main()------------------>HTTP_REFERER=http://192.168.0.3/setup.cgi?reqfile=./html/left.htm

if I try to bind to eth1 or IP-Address, the server not receipt any request.

Here the client.conf setting

# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
#  Allowed values are:
# dotted quad (1.2.3.4)
#       hostname    (radius.example.com)
ipaddr = 192.168.1.4

#  OR, you can use an IPv6 address, but not both
#  at the same time.
# ipv6addr = :: # any.  ::1 == localhost

#
#  A note on DNS:  We STRONGLY recommend using IP addresses
#  rather than host names.  Using host names means that the
#  server will do DNS lookups when it starts, making it
#  dependent on DNS.  i.e. If anything goes wrong with DNS,
#  the server won't start!
#
#  The server also looks up the IP address from DNS once, and
#  only once, when it starts.  If the DNS record is later
#  updated, the server WILL NOT see that update.
#

#  One client definition can be applied to an entire network.
#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
#  "netmask = 8"
#
#  If not specified, the default netmask is 32 (i.e. /32)
#
#  We do NOT recommend using anything other than 32.  There
#  are usually other, better ways to acheive the same goal.
#  Using netmasks of other than 32 can cause security issues.
#
#  You can specify overlapping networks (127/8 and 127.0/16)
#  In that case, the smallest possible network will be used
#  as the "best match" for the client.
#
#  Clients can also be defined dynamically at run time, based
#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
#  etc.
#  See raddb/sites-available/dynamic-clients for details.
#

# netmask = 32

#
#  The shared secret use to "encrypt" and "sign" packets between
#  the NAS and FreeRADIUS.  You MUST change this secret from the
#  default, otherwise it's not a secret any more!
#
#  The secret can be any string, up to 8k characters in length.
#
#  Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
#  Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
#  A note on security:  The security of the RADIUS protocol
#  depends COMPLETELY on this secret!  We recommend using a
#  shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
#  And is at LEAST 8 characters long, preferably 16 characters in
#  length.  The secret MUST be random, and should not be words,
#  phrase, or anything else that is recognizable.
#
#  The default secret below is only for testing, and should
#  not be used in any real environment.
#
secret = testing123

#
#  Old-style clients do not send a Message-Authenticator
#  in an Access-Request.  RFC 5080 suggests that all clients
#  SHOULD include it in an Access-Request.  The configuration
#  item below allows the server to require it.  If a client
#  is required to include a Message-Authenticator and it does
#  not, then the packet will be silently discarded.
#
#  allowed values: yes, no
require_message_authenticator = no

#
#  The short name is used as an alias for the fully qualified
#  domain name, or the IP address.
#
#  It is accepted for compatibility with 1.x, but it is no
#  longer necessary in 2.0
#
# shortname = localhost

#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#

#
# The nastype tells 'checkrad.pl' which NAS-specific method to
#  use to query the NAS for simultaneous use.
#
#  Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types

#
nastype     = other # localhost isn't usually a NAS...

#
#  The following two configurations are for future use.
#  The 'naspasswd' file is currently used to store the NAS
#  login name and password, which is used by checkrad.pl
#  when querying the NAS for simultaneous use.
#
# login       = !root
# password    = someadminpas

#
#  As of 2.0, clients can also be tied to a virtual server.
#  This is done by setting the "virtual_server" configuration
#  item, as in the example below.
#
# virtual_server = home1
}

# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}

#client some.host.org {
# secret = testing123
# shortname = localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
client 192.168.0.0/24 {
secret = testing123-1
shortname = private-network-1
}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}


#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret      = testing123
# shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
# nastype     = livingston
# login       = !root
# password    = someadminpas
#}

#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
#        }
#}

Am I wrongly configured in client.conf hence NAS-port = 0.





With all the latest places, searching has never been easier. Looking for a new home?