using freradius 1.0.5 to secure an WLAN AP
Hello, I try to use freeradius to secure my WLAN. But it will not work. The clients talk to the ap and the ap to my radius Server. But the answer of the radius server is not ok:( It will use EAP-TLS. The clients has valid certificates. This is the output of radiusd -X -A when a client try's to connect: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = "schneeball.netz-von-frank" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "0014bfa57781" Calling-Station-Id = "000e2e3ee98f" NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0x66c2303e813aec1cfd1cde8a17334a73 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051228' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051228 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2ba99a35bae31f77cfceff5a7b53c1db Finished request 0 Going to the next request In this case the name of the client machine is schneeball.netz-von-frank what make I wrong??
=?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
Hello, I try to use freeradius to secure my WLAN. But it will not work. The clients talk to the ap and the ap to my radius Server. But the answer of the radius server is not ok:(
What's going wrong? Your message doesn't include anything that I can see is a problem. Alan DeKok.
But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( -----Original Message----- From: freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org [mailto:freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2005 11:47 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
Hello, I try to use freeradius to secure my WLAN. But it will not work. The clients talk to the ap and the ap to my radius Server. But the answer of the radius server is not ok:(
What's going wrong? Your message doesn't include anything that I can see is a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So here I have the hole output again. So long I see, there is no certificate exchange?? NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0xdd3d83f19e08787f6907798c30ef7b7c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd69dcd7c75cc15eea53e2baca8acbce5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = "schneeball.netz-von-frank" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "0014bfa57781" Calling-Station-Id = "000e2e3ee98f" NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0xf5f960c2cb0c4acc07d7f9d962b26fd9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "attr_filter" returns noop for request 1 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa87e53fdb3ded6be7a711bf1e3a79879 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = "schneeball.netz-von-frank" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "0014bfa57781" Calling-Station-Id = "000e2e3ee98f" NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0x44c69b1ab2ae0e9c056eceedfb528543 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module "auth_log" returns ok for request 2 modcall[authorize]: module "attr_filter" returns noop for request 2 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 1 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0da316f282812e54cf900c9997cb7612 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = "schneeball.netz-von-frank" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "0014bfa57781" Calling-Station-Id = "000e2e3ee98f" NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0x4b44441b0a991ef387981cbc5618e700 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module "auth_log" returns ok for request 3 modcall[authorize]: module "attr_filter" returns noop for request 3 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 1 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc7e720cf22b959e7a88e5c6ca2f33d38 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=163 User-Name = "schneeball.netz-von-frank" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "0014bfa57781" Calling-Station-Id = "000e2e3ee98f" NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001e017363686e656562616c6c2e6e65747a2d766f6e2d6672616e6b Message-Authenticator = 0x62cf2cd7aa0ec7094f14f12d2a1d6613 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 radius_xlat: '/var/log/radius/radacct/192.168.1.2/auth-detail-20051229' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.2/auth-detail-20051229 modcall[authorize]: module "auth_log" returns ok for request 4 modcall[authorize]: module "attr_filter" returns noop for request 4 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 1 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 192.168.1.2:2068 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63a2c78c3eaec0e6c63696a54603ac45 Finished request 4 Going to the next request -----Original Message----- From: freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org [mailto:freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org ] On Behalf Of Frank Buttner Sent: Thursday, December 29, 2005 9:57 AM To: 'FreeRadius users mailing list' Subject: RE: using freradius 1.0.5 to secure an WLAN AP But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:( -----Original Message----- From: freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org [mailto:freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2005 11:47 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
Hello, I try to use freeradius to secure my WLAN. But it will not work. The clients talk to the ap and the ap to my radius Server. But the answer of the radius server is not ok:(
What's going wrong? Your message doesn't include anything that I can see is a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:(
The debug shows the server responding, but the supplicant or AP never continues the conversation. Check that the AP isn't discarding the servers response. Alan DeKok.
I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4. -----Original Message----- From: freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org [mailto:freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2005 6:59 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
But not client will get access. The Windows XP clients say that they can not be verified. And my Windows 2000 Clients will send the request all time because the request from the radius server seems not complete:(
The debug shows the server responding, but the supplicant or AP never continues the conversation. Check that the AP isn't discarding the servers response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4.
I would also suggest checking that the certificates includes the Windows "extended OID" field. See the "scripts" directory. Alan DeKok.
Yes I have add this value client for the clients(1.3.6.1.5.5.7.3.2) and Server for the Server(1.3.6.1.5.5.7.3.1). -----Original Message----- From: freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org [mailto:freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2005 9:00 PM To: FreeRadius users mailing list Subject: Re: using freradius 1.0.5 to secure an WLAN AP =?us-ascii?Q?Frank_Buttner?= <frank-buettner@gmx.net> wrote:
I think the same. I have try to run ethereal on the linux client's and I must see, that after that the client send his ID nothing happened more:( I have write this the manufacture of the WLAN router. I have an WRT54GS v4.
I would also suggest checking that the certificates includes the Windows "extended OID" field. See the "scripts" directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So now it works better. After set the IP of the radius server from * to a real IP. But now I get this error: rad_recv: Access-Request packet from host 192.168.1.2:2068, id=0, length=157 User-Name = "schneeball.netz-von-frank" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "0014bfa57781" Calling-Station-Id = "000e2e3ee98f" NAS-Identifier = "0014bfa57781" NAS-Port = 24 Framed-MTU = 1400 State = 0x67b9d350a906536416e7852c3c0a23d0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090006030d Message-Authenticator = 0x97c747363c9fb963fe9a5ed06bc93479 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "schneeball.netz-von-frank", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 19 modcall: group authenticate returns invalid for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request -----Original Message----- From: freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org [mailto:freeradius-users-bounces+frank-buettner=gmx.net@lists.freeradius.org ] On Behalf Of Frank Buttner Sent: Thursday, December 29, 2005 9:30 PM To: 'FreeRadius users mailing list' Subject: RE: using freradius 1.0.5 to secure an WLAN AP Yes I have add this value client for the clients(1.3.6.1.5.5.7.3.2) and Server for the Server(1.3.6.1.5.5.7.3.1).
Now it works. The last Bug was one in the driver of the network card. So I must buy another wlan card.
participants (2)
-
Alan DeKok -
Frank Buttner