Hi. I have problems with performing authentication with freeradius. When I use the command: radtest tkiziloren password ldap.anaadolu.edu 10 testing123 i get the message below: rad_recv: Access-accepted... However when i try to perform same task by using securew2 on XP client, it always shows "attempting to authenticate", I pasted the debug results or radiusd below: I am new to freeradius. Could anybody help me where the problem is?. Is there a problem with certificate? (I use cisco aironet 1200 AP) Thanks in advance. Tevfik Kızılören. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=0, length=148 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0xfcbf4e4b477d844b3826ae784cd6977e EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 675 State = 0x74d2bac8b603cafd625c55c0992b70ba NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 0 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d3c9b53656089b1510d55b3a1f50a33 Finished request 6 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 0 with timestamp 46421b1a Cleaning up request 4 ID 254 with timestamp 46421b1a Cleaning up request 5 ID 255 with timestamp 46421b1a Nothing to do. Sleeping until we see a request. -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10400374 Sent from the FreeRadius - User mailing list archive at Nabble.com.
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed. In addition to this when I enter correct username but wrong password, I got similar debug log which i lised below. I wasn't able to see any problem with ldap configuration because it works with radtest command. (That is when i entered correct usrname but wrong password, I got Access-Rejected message. When both of them was true, I got Access-Accepted) Is there a problem with my ldap configuration. Is there any weird message in my debug log? I am dealing with this thing about 20 days. Could anybody tell me whats wrong with it? Thanks in advance: My full debug log: (username was entered true, password was entered false ) ------------------------------------------------------------------------------------------------- ldap:~ # radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap.anadolu.edu.tr" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=anadolu,dc=edu,dc=tr" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap_1x-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x800d0420 Module: Instantiated ldap (ldap_1x) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "1234" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=146, length=139 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x4bf1be37ab5fc1598c68bd249777d10d EAP-Message = 0x0202000f01746b697a696c6f72656e NAS-Port-Type = Wireless-802.11 NAS-Port = 322 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0 rlm_ldap: bind as / to ldap.anadolu.edu.tr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 146 to 10.10.7.203 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0aacb6009ffcc2e6b40b7487d9b49dce Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=147, length=202 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0xec986e334fed0be253f43e2461d77e42 EAP-Message = 0x0203003c158000000032160301002d01000029030146cbafcad15f26ee9c399c30942cb9a40c438dfa3f0aeb13b9b68e7fd7fa6e64000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0x0aacb6009ffcc2e6b40b7487d9b49dce NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05e7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 147 to 10.10.7.203 port 1645 EAP-Message = 0x0104040a15c000000644160301004a0200004603014642d682aa7f984a7fcdbc4a6bc13b1d264b81e704929e445b4ebf174c04b7cc20d1ee663783e4d828257c89be8df743bbae47180d8e7bd7a41edc3742644c918a000a0016030105e70b0005e30005e00002c5308202c13082022aa003020102020101300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a86 EAP-Message = 0x4886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333833325a170d3038303530373130333833325a3081a3310b300906035504061302545231123010060355040813095452416e61646f6c75311230100603550407130945736b697365686972311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100aa7e832714838afb5c85df7c60afaf107142a9e077659f216e0b0cee26180413d2ce23bd4551cb0e7243dbae482db8757502159b52b08f8776b1fef8110ea8798dc7bd0db591296d73e37cad9a07ad8b1c1db6360104861ae0405cab03544b1ae33633df6a5403c79bdde9ab57ed2dcfe191f5f34418b555c953351acc461ce70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181003c0a0c3e188348ce41725b4c062f8a8570a1bf407bb6ee3504b9df6a18e935fe2f8792c914c2eabadd85e6ea701ec99443a06e436152b7b9fd413cf44fbd09db68cdf3879c76ea673153 EAP-Message = 0xb8adc112064df7b8369c796d37251577569523b465b686408649adbb9f9006148c9e8df035dec411681b9365b9d317f44efd89b9b42b000315308203113082027aa003020102020100300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333734345a170d EAP-Message = 0x3130303530373130333734345a30818f310b30090603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c09c8f35ddc35ecd609188a17165621 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=148, length=148 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x9b4e281f16c2c5d3cf691e6e195bea68 EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0x2c09c8f35ddc35ecd609188a17165621 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 148 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb63cf9e5375c651683e69b8c2d8543fc Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 146 with timestamp 4642d682 Cleaning up request 1 ID 147 with timestamp 4642d682 Cleaning up request 2 ID 148 with timestamp 4642d682 Nothing to do. Sleeping until we see a request. A.L.M.Buxey wrote:
Hi,
However when i try to perform same task by using securew2 on XP client, it always shows "attempting to authenticate",
did you configure SecureW2 to allow new connections?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10408620 Sent from the FreeRadius - User mailing list archive at Nabble.com.
tevfik wrote:
I wasn't able to see any problem with ldap configuration because it works with radtest command.
Which doesn't use EAP. It means that your server configuration is mostly correct, but something else might still go wrong.
Is there a problem with my ldap configuration. Is there any weird message in my debug log?
The supplicant is starting EAP, doing part of EAP, and then giving up. See the logs on the supplicant for why it's doing this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi I have configured freeradius on Fedora core 6, and using postgresql database. I've created also a username locally on the server, defining from which pool to take it's IP, it works fine, but when I do the necessary changes and re-do the tests again with a username and password from the database, it sends the request, but it rejected it. It says login incorrect, eventhough it has been configured on the database. The pb is that the server cannot access the database to get the info. Any idea how to solve it? Thanks Elie
Parameters for database access are in sql.conf. But post output from radiusd -X so we can see what's happening. If it can't access the database it will fail during server setup stage as well. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <ehani@wise.net.lb> piše:
Hi
I have configured freeradius on Fedora core 6, and using postgresql database. I've created also a username locally on the server, defining from which pool to take it's IP, it works fine, but when I do the necessary changes and re-do the tests again with a username and password from the database, it sends the request, but it rejected it. It says login incorrect, eventhough it has been configured on the database. The pb is that the server cannot access the database to get the info.
Any idea how to solve it? Thanks
Elie
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is the output i'm getting with radiusd -x, but nothing about the SQL: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Thanks -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of tnt@kalik.co.yu Sent: Thursday, May 10, 2007 12:20 PM To: FreeRadius users mailing list Subject: Re: Authentication problem Parameters for database access are in sql.conf. But post output from radiusd -X so we can see what's happening. If it can't access the database it will fail during server setup stage as well. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <ehani@wise.net.lb> piše:
Hi
I have configured freeradius on Fedora core 6, and using postgresql database. I've created also a username locally on the server, defining from which
pool
to take it's IP, it works fine, but when I do the necessary changes and re-do the tests again with a username and password from the database, it sends the request, but it rejected it. It says login incorrect, eventhough it has been configured on the database. The pb is that the server cannot access the database to get the info.
Any idea how to solve it? Thanks
Elie
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
This is the output i'm getting with radiusd -x, but nothing about the SQL:
Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
radiusd -X ^^^^ capital X. lower case is next to useless (and should be removed from the code imho) alan
Hi; Sorry; this is the capital X output attached. Elie -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, May 10, 2007 6:34 PM To: FreeRadius users mailing list Subject: Re: Authentication problem Hi,
This is the output i'm getting with radiusd -x, but nothing about the SQL:
Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
radiusd -X ^^^^ capital X. lower case is next to useless (and should be removed from the code imho) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Sorry; this is the capital X output attached.
yep. not a single mention of SQL - that means that you havent changed the config files to enable SQL. you need to read and edit at LEAST the following 2 files. $YOUR_CONFIG_LOCATION/sql.conf - to enable postgres engine and database table name and password etc $YOUR_CONFIG_LOCATION/radius.conf - $INCLUDE ${confdir}/sql.conf without this basic work, 1) freeradius wont use a database 2) freeradius wont be ABLE to use a database alan
Thank you Alan, I will review it. I used the same configuration on Fedora core 4 and it's working perfectly. When I installed Fedora 6, the freeradius version has been changed, does it matter? -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, May 10, 2007 7:22 PM To: FreeRadius users mailing list Subject: Re: Authentication problem Hi,
Sorry; this is the capital X output attached.
yep. not a single mention of SQL - that means that you havent changed the config files to enable SQL. you need to read and edit at LEAST the following 2 files. $YOUR_CONFIG_LOCATION/sql.conf - to enable postgres engine and database table name and password etc $YOUR_CONFIG_LOCATION/radius.conf - $INCLUDE ${confdir}/sql.conf without this basic work, 1) freeradius wont use a database 2) freeradius wont be ABLE to use a database alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thank you Alan, I will review it. I used the same configuration on Fedora core 4 and it's working perfectly. When I installed Fedora 6, the freeradius version has been changed, does it matter?
the newer, the better . 1.1.6 is the current general stable release...and i prefer to roll my own (or roll my own RPM and install that.....) alan
Hi,
Sorry; this is the capital X output attached.
and sorry, i see you are loading in via postgresql.conf however, i see no successful connect to the DB - so 1) did you compile FR yourself...or did you use RPM? 2) if compiled yourself, do you have postgresq-devel etc installed? (ie read the config.log and look for ERROR/WARNING etc) 3) if you used RPMs - which RPMS did you install? then we get onto the possible connection 1) is postgresql listening/configured to listen? 2) are you running a firewall? alan
I would have a look at radiusd.conf. Something is wrong there. None of the modules (PAP, CHAP, sql etc.) have loaded. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <ehani@wise.net.lb> piše:
Hi;
Sorry; this is the capital X output attached.
Elie
-----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, May 10, 2007 6:34 PM To: FreeRadius users mailing list Subject: Re: Authentication problem
Hi,
This is the output i'm getting with radiusd -x, but nothing about the SQL:
Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
radiusd -X
^^^^
capital X. lower case is next to useless (and should be removed from the code imho)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi; The version installed is 1.1.3, please find my radiusd.conf and postgresql.conf files attached. In this version, there's no files sql.conf, but there's sqlippool.conf. the last one remained untouchable. Thanks Elie -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of tnt@kalik.co.yu Sent: Thursday, May 10, 2007 8:49 PM To: FreeRadius users mailing list Subject: RE: Authentication problem I would have a look at radiusd.conf. Something is wrong there. None of the modules (PAP, CHAP, sql etc.) have loaded. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <ehani@wise.net.lb> piše:
Hi;
Sorry; this is the capital X output attached.
Elie
-----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, May 10, 2007 6:34 PM To: FreeRadius users mailing list Subject: Re: Authentication problem
Hi,
This is the output i'm getting with radiusd -x, but nothing about the SQL:
Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
radiusd -X
^^^^
capital X. lower case is next to useless (and should be removed from the code imho)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can't see much wrong with them. But server is not working. Your output: .. radiusd: entering modules setup Module: Library search path is /usr/lib64 Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. What should happen: .. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL etc... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. OK, my test server is 1.1.6. but you get the general idea. Ivan Kalik Kalik Informatika ISP Dana 11/5/2007, "Elie Hani" <ehani@wise.net.lb> piše:
Hi;
The version installed is 1.1.3, please find my radiusd.conf and postgresql.conf files attached. In this version, there's no files sql.conf, but there's sqlippool.conf. the last one remained untouchable.
Thanks Elie
-----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of tnt@kalik.co.yu Sent: Thursday, May 10, 2007 8:49 PM To: FreeRadius users mailing list Subject: RE: Authentication problem
I would have a look at radiusd.conf. Something is wrong there. None of the modules (PAP, CHAP, sql etc.) have loaded.
Ivan Kalik Kalik Informatika ISP
Dana 10/5/2007, "Elie Hani" <ehani@wise.net.lb> piše:
Hi;
Sorry; this is the capital X output attached.
Elie
-----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, May 10, 2007 6:34 PM To: FreeRadius users mailing list Subject: Re: Authentication problem
Hi,
This is the output i'm getting with radiusd -x, but nothing about the SQL:
Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
radiusd -X
^^^^
capital X. lower case is next to useless (and should be removed from the code imho)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan
Can i post my radiusd.conf and eap.conf here. Would it be helpfull? A.L.M.Buxey wrote:
Hi,
what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10410941 Sent from the FreeRadius - User mailing list archive at Nabble.com.
My certificates have read write and execute permissions A.L.M.Buxey wrote:
Hi,
what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10411507 Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi again. I reconfigured securew2 but at this time i get "received invalid server certificate" error. Which part of my server certificate or root ca certificate could be missed. Could it be related with xpextensions. My radiusd for new configuration is listed below: ---------------------------------------------------------------------------------------------------------------------- Ready to process requests. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=93, length=139 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x347739ec23b1b972260f284960b9fa26 EAP-Message = 0x0202000f01746b697a696c6f72656e NAS-Port-Type = Wireless-802.11 NAS-Port = 499 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0 rlm_ldap: bind as / to ldap.anadolu.edu.tr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 93 to 10.10.7.203 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ae25e553dacaa7dd5a8f8c3b05a1636 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=94, length=202 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0xee6738dc415fc0906c869a55334f7f48 EAP-Message = 0x0203003c158000000032160301002d01000029030151574cfbb06da8313b8d207a29398758f18d010fd687534a1739da58174089f2000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 499 State = 0x9ae25e553dacaa7dd5a8f8c3b05a1636 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05e7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 94 to 10.10.7.203 port 1645 EAP-Message = 0x0104040a15c000000644160301004a02000046030146431731a9db2dd8221c37858f81819fbfda1adff90da6dc8d52a1c5db6e51e020608dd236d2aac1612c3ec0b0f90f8e540e10029777afdd892af311ed7025d5d2000a0016030105e70b0005e30005e00002c5308202c13082022aa003020102020101300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a86 EAP-Message = 0x4886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333833325a170d3038303530373130333833325a3081a3310b300906035504061302545231123010060355040813095452416e61646f6c75311230100603550407130945736b697365686972311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100aa7e832714838afb5c85df7c60afaf107142a9e077659f216e0b0cee26180413d2ce23bd4551cb0e7243dbae482db8757502159b52b08f8776b1fef8110ea8798dc7bd0db591296d73e37cad9a07ad8b1c1db6360104861ae0405cab03544b1ae33633df6a5403c79bdde9ab57ed2dcfe191f5f34418b555c953351acc461ce70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181003c0a0c3e188348ce41725b4c062f8a8570a1bf407bb6ee3504b9df6a18e935fe2f8792c914c2eabadd85e6ea701ec99443a06e436152b7b9fd413cf44fbd09db68cdf3879c76ea673153 EAP-Message = 0xb8adc112064df7b8369c796d37251577569523b465b686408649adbb9f9006148c9e8df035dec411681b9365b9d317f44efd89b9b42b000315308203113082027aa003020102020100300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333734345a170d EAP-Message = 0x3130303530373130333734345a30818f310b30090603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cf9cacf07ab9293ebdd0a9c3ec353d8 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=95, length=148 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x290d6a828b186ac05cf09aab027b2e3f EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 499 State = 0x3cf9cacf07ab9293ebdd0a9c3ec353d8 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 95 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xde79aad44e660ac881793c6fbdd7bdab Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 93 with timestamp 46431731 Cleaning up request 1 ID 94 with timestamp 46431731 Cleaning up request 2 ID 95 with timestamp 46431731 Nothing to do. Sleeping until we see a request. A.L.M.Buxey wrote:
Hi,
what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10412876 Sent from the FreeRadius - User mailing list archive at Nabble.com.
tevfik, Post the question in the SecureW2 forum, www.securew2.com/forum/. I will get back to you via the forum. Regards, Tom tevfik schreef:
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed.
In addition to this when I enter correct username but wrong password, I got similar debug log which i lised below.
I wasn't able to see any problem with ldap configuration because it works with radtest command. (That is when i entered correct usrname but wrong password, I got Access-Rejected message. When both of them was true, I got Access-Accepted)
Is there a problem with my ldap configuration. Is there any weird message in my debug log?
I am dealing with this thing about 20 days. Could anybody tell me whats wrong with it?
Thanks in advance:
My full debug log: (username was entered true, password was entered false ) ------------------------------------------------------------------------------------------------- ldap:~ # radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap.anadolu.edu.tr" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=anadolu,dc=edu,dc=tr" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap_1x-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x800d0420 Module: Instantiated ldap (ldap_1x) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "1234" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=146, length=139 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x4bf1be37ab5fc1598c68bd249777d10d EAP-Message = 0x0202000f01746b697a696c6f72656e NAS-Port-Type = Wireless-802.11 NAS-Port = 322 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0 rlm_ldap: bind as / to ldap.anadolu.edu.tr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 146 to 10.10.7.203 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0aacb6009ffcc2e6b40b7487d9b49dce Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=147, length=202 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0xec986e334fed0be253f43e2461d77e42 EAP-Message = 0x0203003c158000000032160301002d01000029030146cbafcad15f26ee9c399c30942cb9a40c438dfa3f0aeb13b9b68e7fd7fa6e64000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0x0aacb6009ffcc2e6b40b7487d9b49dce NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05e7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 147 to 10.10.7.203 port 1645 EAP-Message = 0x0104040a15c000000644160301004a0200004603014642d682aa7f984a7fcdbc4a6bc13b1d264b81e704929e445b4ebf174c04b7cc20d1ee663783e4d828257c89be8df743bbae47180d8e7bd7a41edc3742644c918a000a0016030105e70b0005e30005e00002c5308202c13082022aa003020102020101300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a86 EAP-Message = 0x4886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333833325a170d3038303530373130333833325a3081a3310b300906035504061302545231123010060355040813095452416e61646f6c75311230100603550407130945736b697365686972311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100aa7e832714838afb5c85df7c60afaf107142a9e077659f216e0b0cee26180413d2ce23bd4551cb0e7243dbae482db8757502159b52b08f8776b1fef8110ea8798dc7bd0db591296d73e37cad9a07ad8b1c1db6360104861ae0405cab03544b1ae33633df6a5403c79bdde9ab57ed2dcfe191f5f34418b555c953351acc461ce70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181003c0a0c3e188348ce41725b4c062f8a8570a1bf407bb6ee3504b9df6a18e935fe2f8792c914c2eabadd85e6ea701ec99443a06e436152b7b9fd413cf44fbd09db68cdf3879c76ea673153 EAP-Message = 0xb8adc112064df7b8369c796d37251577569523b465b686408649adbb9f9006148c9e8df035dec411681b9365b9d317f44efd89b9b42b000315308203113082027aa003020102020100300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333734345a170d EAP-Message = 0x3130303530373130333734345a30818f310b30090603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c09c8f35ddc35ecd609188a17165621 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=148, length=148 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x9b4e281f16c2c5d3cf691e6e195bea68 EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0x2c09c8f35ddc35ecd609188a17165621 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 148 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb63cf9e5375c651683e69b8c2d8543fc Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 146 with timestamp 4642d682 Cleaning up request 1 ID 147 with timestamp 4642d682 Cleaning up request 2 ID 148 with timestamp 4642d682 Nothing to do. Sleeping until we see a request.
A.L.M.Buxey wrote:
Hi,
However when i try to perform same task by using securew2 on XP client, it always shows "attempting to authenticate",
did you configure SecureW2 to allow new connections?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I posted the question to the forum. Thank you for your help. SecureW2 (List) wrote:
tevfik,
Post the question in the SecureW2 forum, www.securew2.com/forum/. I will get back to you via the forum.
Regards,
Tom
tevfik schreef:
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed.
In addition to this when I enter correct username but wrong password, I got similar debug log which i lised below.
I wasn't able to see any problem with ldap configuration because it works with radtest command. (That is when i entered correct usrname but wrong password, I got Access-Rejected message. When both of them was true, I got Access-Accepted)
Is there a problem with my ldap configuration. Is there any weird message in my debug log?
I am dealing with this thing about 20 days. Could anybody tell me whats wrong with it?
Thanks in advance:
My full debug log: (username was entered true, password was entered false ) ------------------------------------------------------------------------------------------------- ldap:~ # radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap.anadolu.edu.tr" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=anadolu,dc=edu,dc=tr" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap_1x-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x800d0420 Module: Instantiated ldap (ldap_1x) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "1234" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=146, length=139 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x4bf1be37ab5fc1598c68bd249777d10d EAP-Message = 0x0202000f01746b697a696c6f72656e NAS-Port-Type = Wireless-802.11 NAS-Port = 322 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0 rlm_ldap: bind as / to ldap.anadolu.edu.tr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 146 to 10.10.7.203 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0aacb6009ffcc2e6b40b7487d9b49dce Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=147, length=202 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0xec986e334fed0be253f43e2461d77e42 EAP-Message = 0x0203003c158000000032160301002d01000029030146cbafcad15f26ee9c399c30942cb9a40c438dfa3f0aeb13b9b68e7fd7fa6e64000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0x0aacb6009ffcc2e6b40b7487d9b49dce NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05e7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 147 to 10.10.7.203 port 1645 EAP-Message = 0x0104040a15c000000644160301004a0200004603014642d682aa7f984a7fcdbc4a6bc13b1d264b81e704929e445b4ebf174c04b7cc20d1ee663783e4d828257c89be8df743bbae47180d8e7bd7a41edc3742644c918a000a0016030105e70b0005e30005e00002c5308202c13082022aa003020102020101300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a86 EAP-Message = 0x4886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333833325a170d3038303530373130333833325a3081a3310b300906035504061302545231123010060355040813095452416e61646f6c75311230100603550407130945736b697365686972311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100aa7e832714838afb5c85df7c60afaf107142a9e077659f216e0b0cee26180413d2ce23bd4551cb0e7243dbae482db8757502159b52b08f8776b1fef8110ea8798dc7bd0db591296d73e37cad9a07ad8b1c1db6360104861ae0405cab03544b1ae33633df6a5403c79bdde9ab57ed2dcfe191f5f34418b555c953351acc461ce70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181003c0a0c3e188348ce41725b4c062f8a8570a1bf407bb6ee3504b9df6a18e935fe2f8792c914c2eabadd85e6ea701ec99443a06e436152b7b9fd413cf44fbd09db68cdf3879c76ea673153 EAP-Message = 0xb8adc112064df7b8369c796d37251577569523b465b686408649adbb9f9006148c9e8df035dec411681b9365b9d317f44efd89b9b42b000315308203113082027aa003020102020100300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333734345a170d EAP-Message = 0x3130303530373130333734345a30818f310b30090603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c09c8f35ddc35ecd609188a17165621 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=148, length=148 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x9b4e281f16c2c5d3cf691e6e195bea68 EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0x2c09c8f35ddc35ecd609188a17165621 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 148 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb63cf9e5375c651683e69b8c2d8543fc Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 146 with timestamp 4642d682 Cleaning up request 1 ID 147 with timestamp 4642d682 Cleaning up request 2 ID 148 with timestamp 4642d682 Nothing to do. Sleeping until we see a request.
A.L.M.Buxey wrote:
Hi,
However when i try to perform same task by using securew2 on XP client, it always shows "attempting to authenticate",
did you configure SecureW2 to allow new connections?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10410860 Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Elie Hani -
SecureW2 (List) -
tevfik -
tnt@kalik.co.yu