rlm_eap: No EAP-Message, not doing EAP?
My setup is as follows and I am trying to do WPA2 EAP-TLS authentication on an Apple Airport WLAN: Fedora 8 Freeradius (192.168.1.26) Airport Express (192.168.1.23) - WPA2 I do not seem to be seeing eap messages in debug mode. Would appreciate some assistance if possible. --REJECTED USER rad_recv: Access-Request packet from host 192.168.1.23:1812, id=88, length=73 User-Password = "testing123" User-Name = "0019w3-h9a056" NAS-Identifier = "192.168.1.23" NAS-IP-Address = 192.168.1.23 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 229 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. --clients.conf client 192.168.1.23 { secret = testing123 shortname = wireless_ap1 nastype = other } -eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no md5 { } tls { private_key_password = secret private_key_file = /etc/raddb/certs/CA/RADIUS-key.pem certificate_file = /etc/raddb/certs/CA/RADIUS-cert.pem CA_file = /etc/raddb/certs/CA/cacert.pem dh_file = /etc/wireless/dh random_file = /etc/wireless/random fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } -users Left as default, as EAP-TLS authentication are done automatically? --DEBUG [root@localhost raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/CA/RADIUS-key.pem" tls: certificate_file = "/etc/raddb/certs/CA/RADIUS-cert.pem" tls: CA_file = "/etc/raddb/certs/CA/cacert.pem" tls: private_key_password = "secret" tls: dh_file = "/etc/wireless/dh" tls: random_file = "/etc/wireless/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "DEFAULT" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Regards secrookie
secrookie@mac.com wrote:
My setup is as follows and I am trying to do WPA2 EAP-TLS authentication on an Apple Airport WLAN:
Fedora 8 Freeradius (192.168.1.26) Airport Express (192.168.1.23) - WPA2
No it is not:
I do not seem to be seeing eap messages in debug mode. Would appreciate some assistance if possible.
--REJECTED USER
rad_recv: Access-Request packet from host 192.168.1.23:1812, id=88, length=73 User-Password = "testing123" User-Name = "0019w3-h9a056" NAS-Identifier = "192.168.1.23" NAS-IP-Address = 192.168.1.23
That is a PAP request; your access point isn't using WPA. Fix your AP
Phil Mayers wrote:
secrookie@mac.com wrote:
My setup is as follows and I am trying to do WPA2 EAP-TLS authentication on an Apple Airport WLAN:
Fedora 8 Freeradius (192.168.1.26) Airport Express (192.168.1.23) - WPA2
No it is not:
Could be WPA2 Personal ;)
I do not seem to be seeing eap messages in debug mode. Would appreciate some assistance if possible.
--REJECTED USER
rad_recv: Access-Request packet from host 192.168.1.23:1812, id=88, length=73 User-Password = "testing123" User-Name = "0019w3-h9a056" NAS-Identifier = "192.168.1.23" NAS-IP-Address = 192.168.1.23
That is a PAP request; your access point isn't using WPA. Fix your AP
Yes you've enabled Mac (Media Access Control) authentication as opposed to WPA2-Enterprise which is EAP based. You've configured the airport to send a Access-Request packet with a dummy password and the mac-address of the station wishing to associate. This is *not* EAP-Based. I can't remember what the settings are off the top of my head, but if you haven't figured it out by Monday email me directly and I'll be able to help/ send you a demo config. Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the responses. At the moment its running in WDS mode which supposedly causes a problem when the radius authentication feature is turned on. Once I reconfigure my WLAN 'without' WDS, I will try again and am confident :-) it will work. So can I presume, for the WLAN devices which 'do not' support EAP authentication, would MAC address authentication be the way to go. And for the other WLAN devices which 'do' support EAP authentication, install the CA and client certs and configure EAP-TLS accordingly. Regards, secrookie My next task would be setup pix login authentication. ;-) On Sunday, March 30, 2008, at 10:31PM, "Arran Cudbard-Bell" <A.Cudbard-Bell@sussex.ac.uk> wrote:
Phil Mayers wrote:
secrookie@mac.com wrote:
My setup is as follows and I am trying to do WPA2 EAP-TLS authentication on an Apple Airport WLAN:
Fedora 8 Freeradius (192.168.1.26) Airport Express (192.168.1.23) - WPA2
No it is not:
Could be WPA2 Personal ;)
I do not seem to be seeing eap messages in debug mode. Would appreciate some assistance if possible.
--REJECTED USER
rad_recv: Access-Request packet from host 192.168.1.23:1812, id=88, length=73 User-Password = "testing123" User-Name = "0019w3-h9a056" NAS-Identifier = "192.168.1.23" NAS-IP-Address = 192.168.1.23
That is a PAP request; your access point isn't using WPA. Fix your AP
Yes you've enabled Mac (Media Access Control) authentication as opposed to WPA2-Enterprise which is EAP based.
You've configured the airport to send a Access-Request packet with a dummy password and the mac-address of the station wishing to associate. This is *not* EAP-Based.
I can't remember what the settings are off the top of my head, but if you haven't figured it out by Monday email me directly and I'll be able to help/ send you a demo config.
Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Phil Mayers -
secrookie@mac.com