<!-- _filtered {margin:0.79in;} P {margin-bottom:0.08in;} -->Hi everyone Merry Christmas and a Happy new year , I am trying to set up freeradius-1.1.3 for a wlan using peap - eap/mschapv2. I have downloaded the source of freeradius-1.1.3 and compile it (./configure , make , make install). My wireless supplicant is on windows xp SP2. I use users file for authentication . I will show you the radiusd -X output and the freeradius behavior when the supplicant tries to connect to the wlan: root@apolyxrono2:~# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 10.0.0.15 IP address [10.0.0.15] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 10.0.0.15:1812 Listening on accounting 10.0.0.15:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.10:3794, id=160, length=132 NAS-IP-Address = 10.0.0.10 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU = 1400 User-Name = "someone" Calling-Station-Id = "00166f122595" Called-Station-Id = "000d545c4190" NAS-Identifier = "3Com Access Point" EAP-Message = 0x0201000c01736f6d656f6e65 Message-Authenticator = 0x160e121c6c28afb7f18ee9f0862390d0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "someone", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry someone at line 219 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 160 to 10.0.0.10 port 3794 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 160 with timestamp 4596dbfe Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 10.0.0.10:3791, id=45, length=166 Acct-Status-Type = Start Acct-Session-Id = "00166f122595-000d54fdb5ea-bcf9" NAS-IP-Address = 10.0.0.10 Acct-Input-Octets = 198 Acct-Output-Octets = 122 Acct-Input-Packets = 3 Acct-Output-Packets = 3 User-Name = "not available" Vendor-Specific = 0x564c414e2049442069733a2030 Vendor-Specific = 0x4553534944203d206d794170 Vendor-Specific = 0x45415020547970652069733a206e6f7420617661696c61626c65 Acct-Session-Time = 26 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 1 modcall[preacct]: module "preprocess" returns noop for request 1 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 10.0.0.10,NAS-IP-Address = 10.0.0.10,Acct-Session-Id = "00166f122595-000d54fdb5ea-bcf9",User-Name = "not available"' rlm_acct_unique: Acct-Unique-Session-ID = "11a74fb405c72016". modcall[preacct]: module "acct_unique" returns ok for request 1 rlm_realm: No '@' in User-Name = "not available", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 1 modcall[preacct]: module "files" returns noop for request 1 modcall: leaving group preacct (returns ok) for request 1 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 1 radius_xlat: '/usr/local/var/log/radius/radacct/10.0.0.10/detail-20061230' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.0.0.10/detail-20061230 modcall[accounting]: module "detail" returns ok for request 1 modcall[accounting]: module "unix" returns noop for request 1 radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'not available' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module "radutmp" returns noop for request 1 modcall: leaving group accounting (returns ok) for request 1 Sending Accounting-Response of id 45 to 10.0.0.10 port 3791 Finished request 1 Going to the next request --- Walking the entire request list --- Cleaning up request 1 ID 45 with timestamp 4596dc07 Nothing to do. Sleeping until we see a request. .............................. Why the authentication of "someone" user failed ? What does it means : module "mschap" returns noop for request 0 ? Is it important debug info ? thanks Adreas Polyxronopoulos Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com
Hi,
I am trying to set up freeradius-1.1.3 for a wlan using peap - eap/mschapv2. I have downloaded the source of freeradius-1.1.3 and compile it (./configure , make , make install). My wireless supplicant is on windows xp SP2. I use users file for authentication .
that wont work easily.
Why the authentication of "someone" user failed ? What does it means : module "mschap" returns noop for request 0 ? Is it important debug info ?
do you have the NT hash in the users files as their entry? have you enabled NT domain hack? alan
adreas Polyxronopoulos wrote:
rad_recv: Access-Request packet from host 10.0.0.10:3794, id=160, length=132 NAS-IP-Address = 10.0.0.10 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU = 1400 User-Name = "someone" Calling-Station-Id = "00166f122595" Called-Station-Id = "000d545c4190" NAS-Identifier = "3Com Access Point" EAP-Message = 0x0201000c01736f6d656f6e65 Message-Authenticator = 0x160e121c6c28afb7f18ee9f0862390d0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "someone", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry someone at line 219 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local
Don't set Auth-Type to Local. Don't set it to anything in fact. In 99% of cases, a correctly configured server will set it just fine itself, and attempting to fiddle with it will break things. Most likely one of the two entries in the "users" file in line 155 or 219 is causing it to break. Your users file only needs: username User-Password := "thepassword"
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
adreas Polyxronopoulos -
Phil Mayers