Hi

  I am using freeradius version 2.1.4 and I want to set up config to eap TTLS using users and clients file but didnt work.Please help me.Thanks.



***************OUTPUT************************************
Finished request 18.
Going to the next request
Waking up in 2.0 seconds.
Cleaning up request 17 ID 18 with timestamp +75
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.252 port 1206, id=20, length=183
User-Name = "deneme"
NAS-IP-Address = 10.1.1.252
NAS-Port = 0
Called-Station-Id = "00-30-4F-44-3D-C1"
Calling-Station-Id = "00-18-DE-88-62-77"
NAS-Identifier = "WirelessAccessPoint"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0211002219001703010017a5491ed47f0de82246939132f8766cf3c1a85f8c211be5
State = 0x56c2eb4850d3f233efbb27b16d1adb57
Message-Authenticator = 0x1ea576935b901d2c1f156615504ed0da
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ! "deneme", looking up realm NULL
[suffix] No such realm "NULL "
++[suffix] returns noop
[eap] EAP packet type response id 17 length 34
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - deneme
[peap] Got tunneled request
EAP-Message = 0x0211000b0164656e656d65
server  {
  PEAP: Got tunneled identity of deneme
  PEAP: Setting default EAP type for tunneled EAP session.
!   PEAP: Setting User-Name to deneme
Sending tunneled request
EAP-Message = 0x0211000b0164656e656d65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "deneme"
server inner-tunnel {
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 20 to 10.1.1.252 port 1206
EAP-Message = 0x011200261900170301001b3f825a! ee84e1fd23b0089c976f25f2f4054e5c93627e072882688f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c2eb4851d0f233efbb27b16d1adb57
Finished request 19.
Going to the next request
Waking up in 1.9 seconds.
Cleaning up request 18 ID 19 with timestamp +78
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.252 port 1206, id=21, length=187
User-Name = "deneme"
NAS-IP-Address = 10.1.1.252
NAS-Port = 0
Called-Station-Id = "00-30-4F-44-3D-C1"
Calling-Station-Id =! "00-18-DE-88-62-77"
NAS-Identifier = "WirelessAccessPoint"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021200261900170301001bd0f786fe5ec27d325f117cb1c6314a2fc09664e18d31038aaa2a5f
State = 0x56c2eb4851d0f233efbb27b16d1adb57
Message-Authenticator = 0xe4dd7f51a3fd9548338084267728d316
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "deneme", looking up realm NULL
[suffix] No such realm "NULL! "
++[suffix] returns noop
[eap] EAP packet type re sponse id 18 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> deneme
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 20 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 20
Sending Access-Reject of id 21 to 10.1.1.252 port 1206
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.9 seconds.
Cleaning up request 19 ID 20 with timestamp +81
Waking up in 3.9 seconds.





************EAP.conf********************
# -*- text -*-
##
##  eap.conf -- ! Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$

#######################################################################
#
eap {
#
default_eap_type = ttls

#  A list is maintained to correlate EAP-Response
#  packets with EAP-Request packets.  After a
#  configurable length of time, entries in the list
#  expire, and are deleted.
#
timer_expire     = 60

ignore_unknown_eap_types = no

# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accoun! ting_username_bug = no

#
#  Help prevent DoS attacks by limiting the number of
#  sessions that the server is tracking.  Most systems
#  can handle ~30 EAP sessions/s, so the default limit
#  of 2048 is more than enough.
max_sessions = 2048

# Supported EAP-types

#
#  We do NOT recommend using EAP-MD5 authentication
#  for wireless connections.  It is insecure, and does
#  not provide for dynamic WEP keys.
#
md5 {
}

# Cisco LEAP
#
leap {
}

#  Generic Token Card.
gtc {
! #   ;The default challenge, which many clients
#  ignore..
#challenge = "Password: "

auth_type = PAP
}

## EAP-TLS
#
#  See raddb/certs/README for additional comments
#  on certificates.
#  http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
#
#  These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = 123456
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
C! A_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# fragment_size = 1024
# include_length = yes
# check_crl = yes
      #
#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
#
cipher_list = "DEFAULT"
# make_cert_command = "${certdir}/bootstrap"

cache {
     #
     #  Enable it.  The default is "no".
     #  Deleting the entire "cache" subsection
     #  Also disables c! aching.
     #
     #  You can disallow resumption for a
     #  particular user by adding the following
     #  attribute to the control item list:
     #
     # Allow-Session-Resumption = No
     #
     #  If "enable = no" below, you CANNOT
     #  enable resumption for just one user
     #  by setting the above attribute to "yes".
     #
     enable = no

     #
     #  Lifetime of the cached entries, in hours.
     #  The sessions will be deleted after this
     #  time.
      ;#
     lifetime = 24 # hours

     #
     #  The maximum number of entries in the
     #  cache.  Set to "0" for "infinite".
     #
     #  This could be set to the number of users
     #  who are logged in... which can be a LOT.
     #
     max_entries = 255
}
}

ttls {
#  The tunneled EAP session needs a default
#  EAP type which is separate from the one for
#  the non-tunneled EAP module.  Inside of the
#  TTLS tunnel, we recommend using EAP-MD5.
#  If the request does not contain an EAP
#  con versation, then this configuration entry
#  is ignored.
default_eap_type = md5

# allowed values: {no, yes}
copy_request_to_tunnel = no

# allowed values: {no, yes}
use_tunneled_reply = no


virtual_server = "inner-tunnel"
}

peap {
#  The tunneled EAP session needs a default
#  EAP type which is separate from the one for
#  the non-tunneled EAP module.  Inside of the
#  PEAP tunnel, we recommend using MS-CHAPv2,
#  as that is the default type supported by
#  Windows clients.
default_eap_type = mschapv2

#  the PEAP module also has these configuration
#  items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no

#  When the tunneled session is proxied, the
#  home server may not understand EAP-MSCHAP-V2.
#  Set this entry to "no" to proxy the tunneled
#  EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes

virtual_server = "inner-tunn! el"
}

mschapv2 {
}
}



***************** inner-tunnel ***********
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id$
#
######################################################################

se! rver inner-tunnel {
authorize {
suffix
unix
update control {
      Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
pap
chap
mschap
# IPASS

# ntdomain

#  See "Authorization Queries" in sql.conf
# sql

#
#  If you are using /etc/smbpasswd, and are also doing
#  mschap authentication, the un-comment this line, and
#  configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
# ldap

#
#  Enforce daily limits on time spent logged in.
# daily

#
# Use the checkval module
# checkval

expiration
logintime
}


#  Authentication.
authenticate {
#
#  PAP authentication, when a back-end database listed
#  in the 'authorize' section supplies a password.  The
#  password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
#  Most people want CHAP authentication
#  A back-end database listed in the 'authorize' section
#  MUST supply a CLEAR TEXT password.  Encrypted passwords
#  won't work.
Auth-Type CHAP {
chap
}

#
#  MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
#  Pluggable Authentication Modules.
# pam

#
#  See 'man getpwent' for information on how the 'unix'
#  module checks the users password.  Note that packets
#  containing CHAP-Password attributes CANNOT be authenticated
#  against /etc/passwd!  See the FAQ for details.
#  
#unix

< div> # Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }

#
#  Allow EAP au! thentication.
eap
}

######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################


#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
radutmp

#
#  See "Simultaneous Use Checking Queries" in sql.conf
# sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
# Note that we do NOT assign IP addresses here.
# If you try to assign IP addresses for EAP authentication types,
# it WILL NOT WORK.  You MUST use DHCP.

#
#  If you want to have a log of authentication replies,
#  un-c! omment the following line, and the 'detail reply_log'
#  section, above.
reply_log

#
#  After authenticating the user, do another SQL query.
#
#  See "Authentication Logging Queries" in sql.conf
# sql

#
#  Instead of sending the query to the SQL server,
#  write it into a log file.
< span class="Apple-tab-span" style="white-space:pre"> #
# sql_log

#
#  Un-comment the following if you have set
#  'edir_account_policy_check = yes' in the ldap module sub-section of
#  the 'modules' section.
#
# ldap

#
#  Access-Reject packets are sent through the REJECT sub-section of the
#  post-auth section.
#
#  Add the ldap module name (or instance) if you have set 
#  'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
attr_filter.access_reject
}

}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through t! he pre-proxy
#  stage.  This stage can re-write th e request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite

#  Uncomment the following line if you want to change attributes
#  as defined in the preproxy_users file.
# files

#  Uncomment the following line if you want to filter requests
#  sent to remote servers based on the rules defined in the
#  'attrs.pre-p! roxy' file.
# attr_filter.pre-proxy

#  If you want to have a log of packets proxied to a home
#  server, un-comment the following line, and the
#  'detail pre_proxy_log' section, above.
pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

#  If you want to have a log of replies from a home! server,
#  un-comment the following line, and the 'detail post_proxy_log'
#  section, above.
post_proxy_log

# attr_rewrite

#  Uncomment the following line if you want to filter replies from
#  remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
#  If you are proxying LEAP, you MUST configure the EAP
#  module, and you MUST list it here, in the post-proxy
#  stage.
#
#  You MUST also use the 'nostrip' option in the 'realm'
#  configuration.  Otherwise, the User-Name attribute
#  in the proxied request will not match the user name
#  hidden inside of the EAP packet, and the end server will
#  reject the EAP request.
! #
eap

#
# Post-Proxy-Type Fail {
# detail
# }

}

} # inner-tunnel server block


Windows Live Hotmail: Arkadaşlarınız Facebook'taki güncellemelerinizi doğrudan Hotmail®'den görür.