Re: freeradius-proxy + PAP works, PEAP and the rest doesn´t
- External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP.
That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check "validate server certificate" on the Windows box.
Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server. Also they don´t have to uncheck the "validate server certificate" They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one.
When using local radtest to verify the user, everything looks okay. >>But as soon I take a windows client, properly configured, or the >>radeapclient, it doesn´t work.
Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: Don't run 1.1.7. Honest.
Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work.
#/This message appears about 2000+ times <shrug> It's 1.1.7.
Well, the output from radius -X had 17,5MB of size...
rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = "Request Denied" Proxy-State = 0x3931 So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even >FreeRADIUS?
Well, I do not have any influence on that home server on my own. But...
My guess is that the home server cannot do EAP. If so, why are you "going crazy with freeradius"? You're blaming the proxy for the >>actionsof the home server.
...
Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS.
... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community. It is in fact running now for years. So, must be another error, I guess?
uni@christiankraus.de wrote:
- External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP.
That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check "validate server certificate" on the Windows box.
Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server.
i.e. non-EAP users.
Also they don´t have to uncheck the "validate server certificate" They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one.
<sigh> The suggestion to uncheck that box was for TESTING. Not for PRODUCTION use.
Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work.
Go read my message again. The problem is NOT the proxy. The problem is the home server. If you noticed, the proxy debug mode shows that the HOME SERVER is rejecting the requests. The proxy is simply at the mercy of the HOME SERVER.
Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS.
... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community.
That's nice. Ask him why it's returning Access-Reject for your users.
So, must be another error, I guess?
The home server is rejecting the user. No amount of playing games with the proxy will fix the home server. You could install 1.1.7, 2.0.5, Cisco ACS, Juniper's SBR, Radiator, or nearly any other RADIUS server on the proxy and IT STILL WOULD NOT WORK. Go fix the home server so that it doesn't reject your users. Yell at it's admin, if necessary. Stop playing games with the proxy. You're wasting your time. Alan DeKok.
If pap works and peap (mschap) doesn't the reason is usually that the passwords kept on the home server are encrypted. If they are nothing apart from changing the passwords to cleartext ones will make peap, mschap or chap work. You will be able to get EAP-TTLS/PAP to work. Ivan Kalik Kalik Informatika ISP Dana 3/7/2008, "uni@christiankraus.de" <uni@christiankraus.de> piše:
- External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP.
That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check "validate server certificate" on the Windows box.
Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server. Also they don´t have to uncheck the "validate server certificate" They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one.
When using local radtest to verify the user, everything looks okay. >>But as soon I take a windows client, properly configured, or the >>radeapclient, it doesn´t work.
Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: Don't run 1.1.7. Honest.
Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work.
#/This message appears about 2000+ times <shrug> It's 1.1.7.
Well, the output from radius -X had 17,5MB of size...
rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = "Request Denied" Proxy-State = 0x3931 So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even >FreeRADIUS?
Well, I do not have any influence on that home server on my own. But...
My guess is that the home server cannot do EAP. If so, why are you "going crazy with freeradius"? You're blaming the proxy for the >>actionsof the home server.
...
Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS.
... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community. It is in fact running now for years.
So, must be another error, I guess?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the "sharing WLAN access" community. It is in fact running now for years.
So, must be another error, I guess?
are you filtering attributes? if so, there are a large number of specific attributes that you MUST let through the proxy connection alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
uni@christiankraus.de