One question about Access-Request packet
Hi, i have one question: Why when i try auth. by laptop-wifi over linksys then it's send that request: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464 Request without User-Password -> and that is problem with auth. When i try auth. over lan my PC send request: rad_recv: Access-Request packet from host 10.44.3.15:62963, id=66, length=55 User-Name = "rka" User-Password = "qazwsxedc" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 And the auth. is correct. Where is the problem? Maybe with Linksys? This is WPA54G. Thanks a lot for help BR, -- Rafal Kaminski http://blstream.com email: rafal.kaminski@blstream.com jid: rka@im.blstream.com
Rafał Kamiński wrote:
Why when i try auth. by laptop-wifi over linksys then it's send that request:
...
Request without User-Password -> and that is problem with auth.
The authentication method is called EAP. It's the way wireless is supposed to work. See "eap.conf". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi, i have one question:
Why when i try auth. by laptop-wifi over linksys then it's send that request:
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464
Request without User-Password -> and that is problem with auth.
This is normal because it is an EAP authentication request: so this is not a problem for authentication as long as you have enabled and configured EAP in the freeradius configuration (see eap.conf). Thibault
Hi again, I set EAP-TLS with cert. - i use that text http://www.fredprod.com/affiche_howtos.php but ... i set in radius.conf authorize { files } and authenticate { eap } and in users file "username-the same what in cert" Auth-Type := EAP but in debug mode i see: ------------------- rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=135 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 State = 0x7fb3974e3abaf6925a5284b2338f93a6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xd8e04dc8793f5401249372587b5867df Thu Jan 18 11:42:51 2007 : Debug: Processing the authorize section of radiusd.conf Thu Jan 18 11:42:51 2007 : Debug: modcall: entering group authorize for request 3 Thu Jan 18 11:42:51 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 3 Thu Jan 18 11:42:51 2007 : Debug: users: Matched entry rka at line 141 Thu Jan 18 11:42:51 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall[authorize]: module "files" returns ok for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall: leaving group authorize (returns ok) for request 3 Thu Jan 18 11:42:51 2007 : Debug: rad_check_password: Found Auth-Type EAP Thu Jan 18 11:42:51 2007 : Debug: auth: type "EAP" Thu Jan 18 11:42:51 2007 : Debug: Processing the authenticate section of radiusd.conf Thu Jan 18 11:42:51 2007 : Debug: modcall: entering group authenticate for request 3 Thu Jan 18 11:42:51 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 3 Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: Request found, released from the list Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: EAP/peap Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: processing type peap Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_peap: Authenticate Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: processing TLS Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK message Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: ack handshake fragment handler Thu Jan 18 11:42:51 2007 : Debug: eaptls_verify returned 1 Thu Jan 18 11:42:51 2007 : Debug: eaptls_process returned 13 Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED Thu Jan 18 11:42:51 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall[authenticate]: module "eap" returns handled for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 0 to 192.168.1.245 port 3072 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdaf79644eaea9256a1b9537be3c3f7bc ------------------- What i must change to be good auth ? And How i must set authentication and authorize if i will use that in future with ldap? BR, Rafal Kaminski
Hi! On 1/18/07, Rafał Kamiński <rafal.kaminski@blstream.com> wrote:
Hi again,
I set EAP-TLS with cert. - i use that text http://www.fredprod.com/affiche_howtos.php
Sorry, URL seems broken.
i set in radius.conf
authorize { files }
Put in at least "eap". Better start with the shipped default file an change (step by step) to meet your needs. Read the comment there above the "eap" stanza.
and in users file
"username-the same what in cert" Auth-Type := EAP
Don't set it. As noted with hilarious regularity on this list. (If you got that from the maybe then working URL you mentioned, forget it.) Auth-Type gets perfectly well handled by the eap module in authorize. http://deployingradius.com/documents/configuration/auth_type.html
And
How i must set authentication and authorize if i will use that in future with ldap?
That's to general a question to give an useful answer. Keep in mind that "authenticating" against ldap by binding the user's dn, will not work for EAP(-PEAP) Regards K. Hoercher
Hi, i set all but in logs i have: Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 02c8], Certificate Fri Jan 19 14:06:18 2007 : Error: --> verify error:num=3:unable to get certificate CRL Fri Jan 19 14:06:18 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Fri Jan 19 14:06:18 2007 : Error: TLS Alert write:fatal:unknown CA Fri Jan 19 14:06:18 2007 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Jan 19 14:06:18 2007 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Fri Jan 19 14:06:18 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I see that is some problem in CA :( I do cert from description on http://www.nantes-wireless.org/actu/article.php3?id_article=8&artsuite=1 or famous EAPTLS.pdf but still doesn't work :( Some know why ? BR -- Rafal Kaminski http://blstream.com email: rafal.kaminski@blstream.com jid: rka@im.blstream.com
participants (4)
-
Alan DeKok -
K. Hoercher -
Rafał Kamiński -
Thibault Le Meur