Hi
I am using freeradius version 2.1.4 and I want to set up config to eap TTLS using users and clients file but didnt work.Please help me.Thanks.
***************OUTPUT************************************
Finished request 18.
Going to the next request
Waking up in 2.0 seconds.
Cleaning up request 17 ID 18 with timestamp +75
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.252 port 1206, id=20, length=183
User-Name = "deneme"
NAS-IP-Address = 10.1.1.252
NAS-Port = 0
Called-Station-Id = "00-30-4F-44-3D-C1"
Calling-Station-Id = "00-18-DE-88-62-77"
NAS-Identifier = "WirelessAccessPoint"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0211002219001703010017a5491ed47f0de82246939132f8766cf3c1a85f8c211be5
State = 0x56c2eb4850d3f233efbb27b16d1adb57
Message-Authenticator = 0x1ea576935b901d2c1f156615504ed0da
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = !
"deneme", looking up realm NULL
[suffix] No such realm "NULL
"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 34
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - deneme
[peap] Got tunneled request
EAP-Message = 0x0211000b0164656e656d65
server {
PEAP: Got tunneled identity of deneme
PEAP: Setting default EAP type for tunneled EAP session.
!
PEAP: Setting User-Name to deneme
Sending tunneled request
EAP-Message = 0x0211000b0164656e656d65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "deneme"
server inner-tunnel {
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 20 to 10.1.1.252 port 1206
EAP-Message = 0x011200261900170301001b3f825a!
ee84e1fd23b0089c976f25f2f4054e5c93627e072882688f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x56c2eb4851d0f233efbb27b16d1adb57
Finished request 19.
Going to the next request
Waking up in 1.9 seconds.
Cleaning up request 18 ID 19 with timestamp +78
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.252 port 1206, id=21, length=187
User-Name = "deneme"
NAS-IP-Address = 10.1.1.252
NAS-Port = 0
Called-Station-Id = "00-30-4F-44-3D-C1"
Calling-Station-Id =!
"00-18-DE-88-62-77"
NAS-Identifier = "WirelessAccessPoint"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021200261900170301001bd0f786fe5ec27d325f117cb1c6314a2fc09664e18d31038aaa2a5f
State = 0x56c2eb4851d0f233efbb27b16d1adb57
Message-Authenticator = 0xe4dd7f51a3fd9548338084267728d316
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "deneme", looking up realm NULL
[suffix] No such realm "NULL!
"
++[suffix] returns noop
[eap] EAP packet type re
sponse id 18 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> deneme
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 20 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 20
Sending Access-Reject of id 21 to 10.1.1.252 port 1206
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.9 seconds.
Cleaning up request 19 ID 20 with timestamp +81
Waking up in 3.9 seconds.
************EAP.conf********************
# -*- text -*-
##
## eap.conf -- !
Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$
#######################################################################
#
eap {
#
default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accoun!
ting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. Most systems
# can handle ~30 EAP sessions/s, so the default limit
# of 2048 is more than enough.
max_sessions = 2048
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
leap {
}
# Generic Token Card.
gtc {
!
#  
;The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = 123456
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
C!
A_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# fragment_size = 1024
# include_length = yes
# check_crl = yes
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
#
cipher_list = "DEFAULT"
# make_cert_command = "${certdir}/bootstrap"
cache {
#
# Enable it. The default is "no".
# Deleting the entire "cache" subsection
# Also disables c!
aching.
#
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes".
#
enable = no
#
# Lifetime of the cached entries, in hours.
# The sessions will be deleted after this
# time.
 
;#
lifetime = 24 # hours
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
max_entries = 255
}
}
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# con
versation, then this configuration entry
# is ignored.
default_eap_type = md5
# allowed values: {no, yes}
copy_request_to_tunnel = no
# allowed values: {no, yes}
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
div>
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunn!
el"
}
mschapv2 {
}
}
***************** inner-tunnel ***********
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id$
#
######################################################################
se!
rver inner-tunnel {
authorize {
suffix
unix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
pap
chap
mschap
# IPASS
# ntdomain
# See "Authorization Queries" in sql.conf
# sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
expiration
logintime
}
# Authentication.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
#unix
<
div>
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP au!
thentication.
eap
}
######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in
sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Note that we do NOT assign IP addresses here.
# If you try to assign IP addresses for EAP authentication types,
# it WILL NOT WORK. You MUST use DHCP.
#
# If you want to have a log of authentication replies,
# un-c!
omment the following line, and the 'detail reply_log'
# section, above.
reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
<
span class="Apple-tab-span" style="white-space:pre"> #
# sql_log
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through t!
he pre-proxy
# stage. This stage can re-write th
e request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-p!
roxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home!
server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
!
#
eap
#
# Post-Proxy-Type Fail {
# detail
# }
}
} # inner-tunnel server block
Windows Live Hotmail:
Arkadaşlarınız Facebook'taki güncellemelerinizi doğrudan Hotmail®'den görür.