Hello all! I am trying to get a wireless client to connect to the Freeradius server using WPA & WPA2 Enterprise . I have followed this guide: http://www.smallnetbuilder.com/content/view/30213/98/1/5/ But I am getting a few error messages from the radius console: 1: ++[mschap] returns noop rlm_realm: No '@' in User-Name = "puppypc", looking up realm NULL rlm_realm: No such realm "NULL 2: rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation 3: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because o ++[pap] returns noop I am gussing that any of the above are a hint to what could be the problem, could anyone point me in the right direction here? On where to look/what to change. how to fix. Attaching the entire outtake from the radius console. Thanks for help, Best regards, Johan
hi, client using PEAP? how have you stored the password and what type of password are you trying to use? alan
Hello Alan, Thanks for answering. - How do i check if the clients are using PEAP? - Dont know if this is the answer to you password question, i have a password in the USERS file and on the client i have entered in the WPA_Supplicant.conf, clear text word. - Then what type of password how do i check that? Best regards, Johan A.L.M.Buxey wrote:
hi,
client using PEAP? how have you stored the password and what type of password are you trying to use?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/FW%3A-Hello%2C-tp16614715p16646511.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
divisionmd wrote:
- How do i check if the clients are using PEAP?
Read the debug log as suggested in the FAQ, README, INSTALL, and daily on this list.
- Dont know if this is the answer to you password question, i have a password in the USERS file and on the client i have entered in the WPA_Supplicant.conf, clear text word.
- Then what type of password how do i check that?
Read the entry you configured in the "users" file? Alan DeKok.
Hello Alan, - I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" files, so I can start over again with clean files. - Some tutorials I have followed are old, compared to the new version that I have 2.0.3. - Can you give me an example on how I should configure these three files "users" "eap.con" "radius.conf". - The authentication method I am looking for to use is "EAP/TTLS" - I have all the certificates ready to go. Thanks very much for help! Best regards, Johan Nyman -----Original Message----- From: freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius.org [mailto:freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius. org] On Behalf Of Alan DeKok Sent: den 12 april 2008 10:18 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: FW: Hello, divisionmd wrote:
- How do i check if the clients are using PEAP?
Read the debug log as suggested in the FAQ, README, INSTALL, and daily on this list.
- Dont know if this is the answer to you password question, i have a password in the USERS file and on the client i have entered in the WPA_Supplicant.conf, clear text word.
- Then what type of password how do i check that?
Read the entry you configured in the "users" file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just make entries for the users in users file. Instructions are in the file. There is nothing to configure in radiusd.conf or eap.conf. You might want to read through eap.conf if you are thinking of replacing default certificates or perhaps to copy request to tunnel and reply out. Only other thing you *need* to configure is clients.conf. Ivan Kalik Kalik Informatika ISP Dana 12/4/2008, "Johan Nyman" <Johan@mediavisiongroup.se> piše:
Hello Alan,
- I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" files, so I can start over again with clean files.
- Some tutorials I have followed are old, compared to the new version that I have 2.0.3.
- Can you give me an example on how I should configure these three files "users" "eap.con" "radius.conf".
- The authentication method I am looking for to use is "EAP/TTLS"
- I have all the certificates ready to go.
Thanks very much for help!
Best regards, Johan Nyman
-----Original Message----- From: freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius.org [mailto:freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius. org] On Behalf Of Alan DeKok Sent: den 12 april 2008 10:18 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: FW: Hello,
divisionmd wrote:
- How do i check if the clients are using PEAP?
Read the debug log as suggested in the FAQ, README, INSTALL, and daily on this list.
- Dont know if this is the answer to you password question, i have a password in the USERS file and on the client i have entered in the WPA_Supplicant.conf, clear text word.
- Then what type of password how do i check that?
Read the entry you configured in the "users" file?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ivan! - Some tutorials I have been following required some settings to be changed in all those files. - But probably for older version of FreeRadius then. - I will re-try again! Thanks for help, Best regards, Johan Nyman -----Original Message----- From: freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius.org [mailto:freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius. org] On Behalf Of Ivan Kalik Sent: den 12 april 2008 16:35 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: EAP/TTLS Just make entries for the users in users file. Instructions are in the file. There is nothing to configure in radiusd.conf or eap.conf. You might want to read through eap.conf if you are thinking of replacing default certificates or perhaps to copy request to tunnel and reply out. Only other thing you *need* to configure is clients.conf. Ivan Kalik Kalik Informatika ISP Dana 12/4/2008, "Johan Nyman" <Johan@mediavisiongroup.se> piše:
Hello Alan,
- I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" files, so I can start over again with clean files.
- Some tutorials I have followed are old, compared to the new version that I have 2.0.3.
- Can you give me an example on how I should configure these three files "users" "eap.con" "radius.conf".
- The authentication method I am looking for to use is "EAP/TTLS"
- I have all the certificates ready to go.
Thanks very much for help!
Best regards, Johan Nyman
-----Original Message----- From: freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius.org [mailto:freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius . org] On Behalf Of Alan DeKok Sent: den 12 april 2008 10:18 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: FW: Hello,
divisionmd wrote:
- How do i check if the clients are using PEAP?
Read the debug log as suggested in the FAQ, README, INSTALL, and daily on this list.
- Dont know if this is the answer to you password question, i have a password in the USERS file and on the client i have entered in the WPA_Supplicant.conf, clear text word.
- Then what type of password how do i check that?
Read the entry you configured in the "users" file?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Nyman wrote:
- I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" files, so I can start over again with clean files.
Good idea.
- Some tutorials I have followed are old, compared to the new version that I have 2.0.3.
I wish all old tutorial disappeared off of the net. Since most started out wrong, getting rid of them isn't a bad idea.
- Can you give me an example on how I should configure these three files "users" "eap.con" "radius.conf".
- The authentication method I am looking for to use is "EAP/TTLS"
You do nothing. See doc/ChangeLog, for version 2.0.0.
- I have all the certificates ready to go.
Put them in raddb/certs, in the files mentioned in eap.conf. Or, edit eap.conf to point to your certificates. The whole point of 2.0 is that you start the server... and almost everything works. The tutorials that described endless steps to configure things were usually wrong to begin with, and are completely unnecessary in 2.0. Alan DeKok.
Hello all, There should be a place on the net that hosts official tutorials for FreeRadius that are up-to date. Then many problems would disappear. I was about to follow this post to get "EAP/TTLS" to work: http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/ Can anyone help me sort out what not to follow in his guide, since it has been posted 2005: The SSL create certificate steps that tutorial mentions is the same for all versions, and still up to date? 1. Generate a new unsigned certificate and its corresponding private key: openssl req -new -days 365 -newkey rsa:1024 \ -keyout /etc/pki/CA/sslkey.pem -out /etc/pki/CA/sslcert.pem 2. To sign this certificate: openssl ca -in /etc/pki/CA/sslcert.pem -out /etc/pki/CA/cert.pem 3. Installing the RADIUS X.509 certificate The certificate and its corresponding private key, plus the CA certificate, must be installed into /etc/raddb/certs in order to use EAP-TLS or EAP-TTLS: Install the RADIUS private key: mv /etc/pki/CA/sslkey.pem /etc/raddb/certs/RADIUS-key.pem Install the RADIUS signed X.509 certificate: mv /etc/pki/CA/cert.pem /etc/raddb/certs/RADIUS-cert.pem Install the CA certificate: cp /etc/pki/CA/cacert.pem /etc/raddb/certs/cacert.pem /etc/pki/CA/sslcert.pem holds the unsigned X.509 RADIUS certificate, so it can be safely removed: rm /etc/pki/CA/sslcert.pem Best regards, Johan Nyman Media Vision Group | MVG Stureplan 4C, 4tr 114 35 Stockholm Sweden Tfn: +46-8-463 10 58 Cell:+46-70-992 31 51 Fax: +46-8-463 10 10 E-mail: Johan@mediavisiongroup.se Web: http://www.mediavisiongroup.se ---------------------------------------------------------------------------- ------------------------ CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail, including any attachments, is confidential and intended only for the addressee. If you are not the intended recipient, please notify us immediately and delete this e-mail from your system. Any use or disclosure of the information contained herein is strictly prohibited. ---------------------------------------------------------------------------- ------------------------ -----Original Message----- From: freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius.org [mailto:freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius. org] On Behalf Of Alan DeKok Sent: den 12 april 2008 17:45 To: FreeRadius users mailing list Subject: SPAM-LOW: SPAM(5.0) Re: EAP/TTLS Johan Nyman wrote:
- I'm going to copy back the default "eap.conf" "radiusd.conf" and "users" files, so I can start over again with clean files.
Good idea.
- Some tutorials I have followed are old, compared to the new version that I have 2.0.3.
I wish all old tutorial disappeared off of the net. Since most started out wrong, getting rid of them isn't a bad idea.
- Can you give me an example on how I should configure these three files "users" "eap.con" "radius.conf".
- The authentication method I am looking for to use is "EAP/TTLS"
You do nothing. See doc/ChangeLog, for version 2.0.0.
- I have all the certificates ready to go.
Put them in raddb/certs, in the files mentioned in eap.conf. Or, edit eap.conf to point to your certificates. The whole point of 2.0 is that you start the server... and almost everything works. The tutorials that described endless steps to configure things were usually wrong to begin with, and are completely unnecessary in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Hello all,
There should be a place on the net that hosts official tutorials for FreeRadius that are up-to date.
Then many problems would disappear.
there are several. the best place is wiki.freeradius.org
I was about to follow this post to get "EAP/TTLS" to work: http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/
some random page from 2005. useful for FreeRADIUS 0.9 if you get the FreeRADIUS 2.0.3 source code, extract it and look in the directories, you will find within the raddb/certs directory a set of useful files... such as bootstrap and Makefile these 2 will, together, create a set of working 30 day demo certs for a first time install of the server. of course, if you read them and modify them and /etc/openssl.conf (or whereever your SSL configuration is held in your distro) you can have much much more - eg certs that last for as long as you want with the descriptions you want. alan
Hello again, Thanks for that information, Read the "README" in the "/raddb/certs" directory and found some very clear instruction on how to compile/make the certificates. Could you help me clarify this, so I have understand correctly: 1. To make a successful EAP/TLS connection I need the following certificates: - Root certificate (stored on the radius server as default in the directory "/raddb/certs") - Server certificate (stored on the radius server as default in the directory "/raddb/certs") - Client certificate (the user connecting to the radius has this certificate installed on his computer) 2. And those files are: Root: ca.cnf ca.der ca.key ca.pem Client: client.cnf client.crt client.csr client.key client.p12 client.pem Server: server.cnf server.crt server.csr server.key server.p12 server.pem And then also another file is needed, what does this file do?: dh And also this, what does this file do?: Random Best regards, Johan Nyman -----Original Message----- From: freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius.org [mailto:freeradius-users-bounces+johan=mediavisiongroup.se@lists.freeradius. org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: den 12 april 2008 19:06 To: FreeRadius users mailing list Subject: Re: Generate the SSL certs Hi,
Hello all,
There should be a place on the net that hosts official tutorials for FreeRadius that are up-to date.
Then many problems would disappear.
there are several. the best place is wiki.freeradius.org
I was about to follow this post to get "EAP/TTLS" to work: http://www.felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/
some random page from 2005. useful for FreeRADIUS 0.9 if you get the FreeRADIUS 2.0.3 source code, extract it and look in the directories, you will find within the raddb/certs directory a set of useful files... such as bootstrap and Makefile these 2 will, together, create a set of working 30 day demo certs for a first time install of the server. of course, if you read them and modify them and /etc/openssl.conf (or whereever your SSL configuration is held in your distro) you can have much much more - eg certs that last for as long as you want with the descriptions you want. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, recommend that you get eg OReilly book on OpenSSL. with a basic undertsanding of OpenSSL all of these files and processes become much more transparent.
1. To make a successful EAP/TLS connection I need the following certificates:
correct
2. And those files are:
with SSL you get various types of files - all of them hold the same information but show them in different ways. some platforms need a .pkcs12, others need a .der or a .crt etc if you read the eap.conf you will clearly see the different files that FreeRADIUS needs. what you need to give to your clients depends on the platform involved.
And then also another file is needed, what does this file do?:
dh
diffie-hellman - http://en.wikipedia.org/wiki/Diffie-Hellman
And also this, what does this file do?:
Random
random - a squawking bird typed the minutes of the last blood-alien intrenational chess competition meeting. how random can you get? its a way of ensuring that the keying material really is random. for some people a large file of junk is ranom, for others a device will generate random stuff - either a software device eg /dev/random or a crpytographic card with a random engine. alan
Johan Nyman wrote:
There should be a place on the net that hosts official tutorials for FreeRadius that are up-to date.
Then many problems would disappear.
There *is* a place. It's on the main web page. It's up to date. Yet many people *still* use third-party "howto's" that are years out of date. Is there some secret documentation saying "don't read the FreeRADIUS documentation"?
Can anyone help me sort out what not to follow in his guide, since it has been posted 2005:
Don't follow any of it. Read the documentation that comes with FreeRADIUS, and with the Wiki.
1. Generate a new unsigned certificate and its corresponding private key:
The "INSTALL" file that comes with the server describes how it automatically creates certificates. Maybe the binaries for your distribution don't include this file... Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
divisionmd -
Ivan Kalik -
Johan Nyman