Hello all, I am trying to authenticate to freeradius using ttls with mschapv2 and i don't succeed; Attached is my eap.conf file; If you think something is wrong there or something should be added please tell me; also if you think other files should be configured as well. Thank you in advance! # -*- text -*- # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $ # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = ttls # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to "yes", you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # # md5 { # } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # # leap { # } # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # # gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say "Local" instead of "PAP", then # the module will look for a User-Password # configured for the request, and do the # authentication itself. # # auth_type = PAP # } ## EAP-TLS # # To generate ctest certificates, run the script # # ../scripts/certs.sh # # The documents on http://www.freeradius.org/doc # are old, but may be helpful. # # See also: # # http://www.dslreports.com/forum/remark,9286052~mode=flat # tls { # private_key_password = whatever private_key_password = asb#1234 # private_key_file = ${raddbdir}/certs/cert-srv.pem private_key_file = ${raddbdir}/certs/NEW/server-key.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # certificate_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/NEW/server.pem # Trusted Root CA list # CA_file = ${raddbdir}/certs/demoCA/cacert.pem CA_file = ${raddbdir}/certs/NEW/ca-cert.pem dh_file = ${raddbdir}/certs/NEW/dh random_file = ${raddbdir}/certs/NEW/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. # 'c_rehash' is OpenSSL's command. # 3) Add 'CA_path=<CA certs&CRLs directory>' # to radiusd.conf's tls section. # 4) uncomment the line below. # 5) Restart radiusd check_crl = yes # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate verification # will fail rejecting the user. # # check_cert_cn = %{User-Name} } # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, # inside of TLS, inside of EAP, inside of RADIUS... # # Surprisingly, it works quite well. # # The TTLS module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-TTLS does not # require a client certificate. # ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # TTLS tunnel, we recommend using EAP-MD5. # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. default_eap_type = mschapv2 # The tunneled authentication request does # not usually contain useful attributes # like 'Calling-Station-Id', etc. These # attributes are outside of the tunnel, # and normally unavailable to the tunneled # authentication request. # # By setting this configuration entry to # 'yes', any attribute which NOT in the # tunneled authentication request, but # which IS available outside of the tunnel, # is copied to the tunneled request. # # allowed values: {no, yes} copy_request_to_tunnel = yes # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = yes } sim { } # # The tunneled EAP session needs a default EAP type # which is separate from the one for the non-tunneled # EAP module. Inside of the TLS/PEAP tunnel, we # recommend using EAP-MS-CHAPv2. # # The PEAP module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-PEAP does not # require a client certificate. # # peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. # default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. # copy_request_to_tunnel = no # use_tunneled_reply = no # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # proxy_tunneled_request_as_eap = yes #} # # This takes no configuration. # # Note that it is the EAP MS-CHAPv2 sub-module, not # the main 'mschap' module. # # Note also that in order for this sub-module to work, # the main 'mschap' module MUST ALSO be configured. # # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # mschapv2 { } }
The authentication is still not working I attached the log I got when running in debug mode; also I attached my users file; Maybe you may help Alan DeKok wrote:
Cristian Novac wrote:
Hello all, I am trying to authenticate to freeradius using ttls with mschapv2 and i don't succeed; Attached is my eap.conf file;
Why? Every piece of documentation says to run the server in debugging mode. Go do that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1232420100000015 Auth-Type := EAP, Autz-Type:=EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x30000000000000000000000000000000, EAP-Sim-SRES1 = 0x30112233, EAP-Sim-KC1 = 0x445566778899AABB, EAP-Sim-Rand2 = 0x31000000000000000000000000000000, EAP-Sim-SRES2 = 0x31112233, EAP-Sim-KC2 = 0x445566778899AABB, EAP-Sim-Rand3 = 0x32000000000000000000000000000000, EAP-Sim-SRES3 = 0x32112233, EAP-Sim-KC3 = 0x445566778899AABB, 2244070100000001@japsim.foo Auth-Type := EAP, Autz-Type:= EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0x101112131415161718191a1b1c1d1e1f, EAP-Sim-SRES1 = 0xd1d2d3d4, EAP-Sim-Rand2 = 0x202122232425262728292a2b2c2d2e2f, EAP-Sim-SRES2 = 0xe1e2e3e4, EAP-Sim-Rand3 = 0x303132333435363738393a3b3c3d3e3f, EAP-Sim-SRES3 = 0xf1f2f3f4, EAP-Sim-KC1 = 0xa0a1a2a3a4a5a6a7, EAP-Sim-KC2 = 0xb0b1b2b3b4b5b6b7, EAP-Sim-KC3 = 0xc0c1c2c3c4c5c6c7, # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' # # # For a list of RADIUS attributes, and links to their definitions, # see: # # http://www.freeradius.org/rfc/attributes.html # @asb.com Auth-Type := Local, User-Password == "mypass@wd" Framed-MTU = 3795, 3GPP2-Service-Option-Profile = 0x000000100104a501, Fall-Through = Yes myuser Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, 3GPP2-Service-Option-Profile = 0x000000100104a501, Service-Flow-Descriptor = 0x000104008302040083040303050304060301070383080384, QoS-Descriptor += 0x8001038304030206060001f4000c0302, QoS-Descriptor += 0x000103840403020606000fa0000c0302, Fall-Through = Yes #VSA SF #myuser Auth-Type := Local, User-Password == "mypass@wd" # Session-Timeout = 3600, # Termination-Action = 1, # Class = 0x1234567890, # User-Name = "accounting", # Service-Flow-Descriptor += 0x800104111102041112040303050304060301070311080312, # Service-Flow-Descriptor += 0x000104002302040003040303050301060301070304, # QoS-Descriptor += 0x8001031104030206060007d0000c0302, # QoS-Descriptor += 0x800103120403020606001f40000c0302, # QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d040014 BE2048 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor = 0x000104008302040083040303050304060301070383080384, QoS-Descriptor += 0x800103830403020606000F40000c0302, QoS-Descriptor += 0x000103840403020606001F40000c0302 UGS1024 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor = 0x0001041111040303050304060301070311, QoS-Descriptor += 0x000103110403060706000fa0000906000000140a06000000140c03010d040014 UGS3073 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor = 0x0001041111040303050304060301070312, QoS-Descriptor += 0x000103120403060706002ee3e80906000000140a06000000140c03010d040014 BE_UGS Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x800104008302040083040303050304060301070383080384, Service-Flow-Descriptor += 0x0001041111040303050304060301070312, QoS-Descriptor += 0x800103830403020606000F40000c0302, QoS-Descriptor += 0x800103840403020606001F40000c0302, QoS-Descriptor += 0x000103120403060706002ee3e80906000000140a06000000140c03010d040014 ERTVR Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor = 0x0001041112040303050304060301070313080314, QoS-Descriptor += 0x800103130403050503030606000fa00007060007d00009060000000a0a06000000140c03800d040014, QoS-Descriptor += 0x000103140403050503030606002ee3e80706000fa00009060000000a0a06000000140c0380 ERTVR_BE Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x000104008302040083040303050304060301070383080384, QoS-Descriptor += 0x800103130403050503030606000fa00007060007d00009060000000a0a06000000140c03800d040014, QoS-Descriptor += 0x800103140403050503030606002ee3e80706000fa00009060000000a0a06000000140c0380, QoS-Descriptor += 0x800103830403020606000F40000c0302, QoS-Descriptor += 0x000103840403020606001F40000c0302 ERTVR_UGS Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x0001041111040303050304060301070312, QoS-Descriptor += 0x800103130403050503030606000fa00007060007d00009060000000a0a06000000140c03800d040014, QoS-Descriptor += 0x800103140403050503030606002ee3e80706000fa00009060000000a0a06000000140c0380, QoS-Descriptor += 0x000103120403060706002ee3e80906000000140a06000000140c03010d040014 UGS_ERTVR Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041111040303050304060301070312, Service-Flow-Descriptor += 0x0001041112040303050304060301070313080314, QoS-Descriptor += 0x800103120403060706000fa0000906000000140a06000000140c03010d040014, QoS-Descriptor += 0x800103130403050503030606000fa00007060007d00009060000000a0a06000000140c03800d040014, QoS-Descriptor += 0x000103140403050503030606002ee3e80706000fa00009060000000a0a06000000140c0380 ERTVR_UGS2 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x0001041111040303050304060301070312, QoS-Descriptor += 0x800103130403050503030606000fa00007060007d00009060000000a0a06000000140c03800d040014, QoS-Descriptor += 0x800103140403050503030606002ee3e80706000fa00009060000000a0a06000000140c0380, QoS-Descriptor += 0x000103120403060706002ee3e80906000000140a06000000140c03010d040014 ERTVR_UGS1 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x0001041111040303050304060301070311, QoS-Descriptor += 0x800103130403050503030606000fa00007060007d00009060000000a0a06000000140c03800d040014, QoS-Descriptor += 0x800103140403050503030606002ee3e80706000fa00009060000000a0a06000000140c0380, QoS-Descriptor += 0x000103110403060706000fa0000906000000140a06000000140c03010d040014 NRTVR Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x0001041112040303050304060301070313080314, QoS-Descriptor += 0x8001031304030305030107060003e8000c0382, QoS-Descriptor += 0x0001031404030305030107060007d0000c0382 NRTVR1 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor = 0x0001041112040303050304060301070313080314, QoS-Descriptor += 0x8001031304030305030106060007d00007060007d0000c0382, QoS-Descriptor += 0x000103140403030503010606000fa0000706000fa0000c0382 NRTVR_UGS Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x0001041111040303050304060301070312, QoS-Descriptor += 0x8001031304030305030106060007d00007060007d0000c0382, QoS-Descriptor += 0x800103140403030503010606000fa0000706000fa0000c0382, QoS-Descriptor += 0x000103120403060706002ee3e80906000000140a06000000140c03010d040014 NRTVR_BE Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x000104008302040083040303050304060301070383080384, QoS-Descriptor += 0x8001031304030305030106060007d00007060007d0000c0382, QoS-Descriptor += 0x800103140403030503010606000fa0000706000fa0000c0382, QoS-Descriptor += 0x800103830403020606000F40000c0302, QoS-Descriptor += 0x000103840403020606001F40000c0302 NRTVR_UGS1 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x0001041111040303050304060301070311, QoS-Descriptor += 0x8001031304030305030106060007d00007060007d0000c0382, QoS-Descriptor += 0x800103140403030503010606000fa0000706000fa0000c0382, QoS-Descriptor += 0x000103110403060706000fa0000906000000140a06000000140c03010d040014 RTVR Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor = 0x0001041112040303050304060301070313080314, QoS-Descriptor += 0x800103130403040503020606000FA00007060007d0000a06000000640c03810f040032, QoS-Descriptor += 0x000103140403040503020606001f40000706000fa0000a06000000640c0381 RTVR_BE Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x000104008302040083040303050304060301070383080384, QoS-Descriptor += 0x800103130403040503020606000FA00007060007d0000a06000000640c03810f040032, QoS-Descriptor += 0x800103140403040503020606001f40000706000fa0000a06000000640c0381, QoS-Descriptor += 0x800103830403020606000F40000c0302, QoS-Descriptor += 0x000103840403020606001F40000c0302 RTVR_UGS1 Auth-Type := Local, User-Password == "mypass@wd" Session-Timeout = 3600, Termination-Action = 1, Service-Flow-Descriptor += 0x8001041112040303050304060301070313080314, Service-Flow-Descriptor += 0x0001041111040303050304060301070311, QoS-Descriptor += 0x800103130403040503020606000FA00007060007d0000a06000000640c03810f040032, QoS-Descriptor += 0x800103140403040503020606001f40000706000fa0000a06000000640c0381, QoS-Descriptor += 0x800103140403030503010606000fa0000706000fa0000c0382, QoS-Descriptor += 0x000103110403060706000fa0000906000000140a06000000140c03010d040014 # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve Auth-Type := Local, User-Password == "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #Deg Auth-Type := Local, User-Password == "ge55ged" # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = "9,5551212", # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk Auth-Type := Local, User-Password == "callme" # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULT Suffix == ".shell", Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = Local # 3GPP2-Service-Option-Profile = 0x000000020104800101048101, # 3GPP2-Service-Option-Profile = 0x000000100104800101048801010490010104A0010104A8010104B0010104C0010104800101048801010490010104A0010104A8010104B0010104C0010104800101048801, # Session-Timeout = 3600, # Termination-Action = 1 # Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # #DEFAULT Service-Type == Framed-User # Framed-IP-Address = 255.255.255.254, # Framed-MTU = 576, # Service-Type = Framed-User, # Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # #DEFAULT Framed-Protocol == PPP # Framed-Protocol = PPP, # Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # #DEFAULT Hint == "CSLIP" # Framed-Protocol = SLIP, # Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # #DEFAULT Hint == "SLIP" # Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access.
hi, ummm, lets get this right - you are using FreeRADIUS 1.1.0 ? I'm sorry - cannot give any support until you are using 1.1.7 (which has many old and obsolete bugs and issues removed) alan
Hi,
[/udir/delivery_a0028/wacsim_trunk/scripts/services/freeradius-1.1.0//etc/raddb/users]:1 WARNING! Check item "EAP-Sim-Rand1" ?found in reply item list for user "1232420100000015". ?This attribute MUST go on the first line with the other check items
..and many more - this is an obvious issue - please follow what the server says! your users file is incorrect, you must ensure all the check items are on the first line - currently you end your first line with no comma - and have a trailing comma on the last entries. please change this to user type:=XXX blah:=this oh_and:=that, EAP-SIM1 = thisnthat, EAP-blah-blah = morejunk alan
Cristian Novac wrote:
The authentication is still not working I attached the log I got when running in debug mode;
It's long and informative. As was pointed out, it includes a lot of issues that you should fix. In short, you configured "Auth-Type" somewhere, and broke the server. The debug log shows this clearly: modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' - So mschap should be used for authentication modcall[authorize]: module "mschap" returns ok for request 10 rlm_realm: No '@' in User-Name = "BE2048", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched entry BE2048 at line 108 - Which is: BE2048 Auth-Type := Local, User-Password == "mypass@wd" See? All of the documentation and Wiki pages say don't set Auth-Type. Why? Because ALMOST EVERYONE GETS IT WRONG. DELETE EVERY REFERENCE TO "Auth-Type := Local" You configured the server to prevent MS-CHAP authentication. The debug log shows this. It's not hard to find: look for the first instance of the word "reject" while it's processing a request. Then, read the lines above that. Also, upgrade to 1.1.7. There are many fixes, and more documentation saying what to do, and what not to do. Alan DeKok.
Thank you Allan for all the explanations; the problem was solved and the next thing I'll do will be to upgrade to FreeRadius 1.1.7 Cristian NOVAC Alan DeKok wrote:
Cristian Novac wrote:
The authentication is still not working I attached the log I got when running in debug mode;
It's long and informative. As was pointed out, it includes a lot of issues that you should fix.
In short, you configured "Auth-Type" somewhere, and broke the server. The debug log shows this clearly:
modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
- So mschap should be used for authentication
modcall[authorize]: module "mschap" returns ok for request 10 rlm_realm: No '@' in User-Name = "BE2048", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 10 users: Matched entry BE2048 at line 108
- Which is:
BE2048 Auth-Type := Local, User-Password == "mypass@wd"
See? All of the documentation and Wiki pages say don't set Auth-Type. Why? Because ALMOST EVERYONE GETS IT WRONG.
DELETE EVERY REFERENCE TO "Auth-Type := Local"
You configured the server to prevent MS-CHAP authentication. The debug log shows this. It's not hard to find: look for the first instance of the word "reject" while it's processing a request. Then, read the lines above that.
Also, upgrade to 1.1.7. There are many fixes, and more documentation saying what to do, and what not to do.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, we need to see the output of the radiusd -X - the config file looks fine(!) we also need to know HOW you are trying to use MSCHAPv2 - where is your authentication done? users file? DB, ntlm_auth etc etc alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Cristian Novac