Hello all, I am having some issues with setting up 802.1x using freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is doing Mac Auth against a file. One is using ldap auth and the other is setup to use 802.1x. Mac auth and ldap auth works great so I know my ldap config in radius should be setup correctly. It looks like the authorize part of 802.1x works but it fails during the authenticate part. Does anyone see what I have messed up? I am sure it is something simple that I am overlooking. I am using windows xp sp3 to try to connect to this network. My wireless network is all Cisco LWAPP AP's connecting to Cisco WLAN controllers and we use Cisco WCS to manage all of these devices. I am trying to setup a secure network using wpa and wpa2 with 802.1x using eap-peap. The message 'WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?' shows up also on the non-802.1x ldap auth wlan that works. Let me know if more detail is needed. TIA! Config file snippets: authorize { preprocess chap mschap suffix eap { ok = return } unix files ldap ldap_all_myids expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } Auth-Type LDAP_ALL_MYIDS { ldap_all_myids } eap } ldap ldap_all_myids { server = "localhost" identity = "cn=blah,ou=something,o=uga" password = "my_pass" basedn = "ou=users,o=uga" filter = "(cn=%u)" start_tls = no tls_mode = no # access_attr = "dialupAccess" access_attr = "ugaelmkprov" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } Log file: rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=191, length=181 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x020b000d016b6c6564666f7264 Message-Authenticator = 0xb4fdd87de3f264b7a28bd05a07ceae23 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for kledford [ldap] expand: (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=%u)) -> (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford)) [ldap] expand: ou=users,o=uga -> ou=users,o=uga rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford)) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford)) [ldap] checking if remote access for kledford is allowed by ugaelmkprov [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kledford authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok [ldap_all_myids] performing user authorization for kledford [ldap_all_myids] expand: (cn=%u) -> (cn=kledford) [ldap_all_myids] expand: ou=users,o=uga -> ou=users,o=uga rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford) [ldap_all_myids] checking if remote access for kledford is allowed by ugaelmkprov [ldap_all_myids] No default NMAS login sequence [ldap_all_myids] looking for check items in directory... [ldap_all_myids] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_all_myids] user kledford authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_all_myids] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 191 to 172.17.6.205 port 32770 EAP-Message = 0x010c00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e028ee22c7ff0f6bedc08a825 Finished request 70. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=192, length=266 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x020c005019800000004616030100410100003d0301496f410ff8ee077ce9d259abb7f81ed6db2ea758cffee4e7ad7eb61b95e8329a00001600040005000a000900640062000300060013001200630100 State = 0x0282fb8e028ee22c7ff0f6bedc08a825 Message-Authenticator = 0x2f08e7cd6b50bc98da1db2daf64fc80f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 192 to 172.17.6.205 port 32770 EAP-Message = 0x010d040019c00000089b160301002a020000260301496f3ee1ee8866b8a4376d656afa915e2b592a924331e0656bce890e613fc83d00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303130383232313433335a170d3130303130383232313433335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7d8c0ef7a3a864ea16abde689de9400a9efdf1a723cba7527411b145f5f30d30db1a7ef5d5a6c8e611c936e821ef04bf3a0a42bed5e573364ac9fc855d2 EAP-Message = 0x9dc5234c6a61b0c639d1205aa8f6baa7a1798dc955d6792d68778d995c460a09b5e1ee31c0ca65fd7df82c8a30b284ea76a1875e16a4fa0b08f93927516f8ceb745842c378db6d5c1406c734d618323918d433707c4e59e6435881a39e18cb0ce52c1623cf149e57425ddfae12be2b2befbd9ba756f589a05f8935ce573ad4f6fcad95116eb8499c1daa6f3f34da4ccb275c6686677bc25ae678b5fabadd8c474d2a87263705892a9dee3a8b5c5ad11d1b229d93b7b37235bfa25c908e4a5c643fe70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010046d53a405176aa48f1 EAP-Message = 0x9db9b1e524130f431f8d31d979c3c9cb9d01dfa19eacaa8bf1354d77b8431d571e12011a22f5adb109c8336191a861f9ee34a0f51c5d8991bd8feddac68ffac0ede52e5e9bd3efc17b6924e9bf4ec4944dda2bb48c10680ac49473dd2c474637c05c0594ec984f91468614a00e16547cb1b4227fe0b554a45d93852b09 EAP-Message = 0x69eba10c49200443 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e008ce22c7ff0f6bedc08a825 Finished request 72. Going to the next requ Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=194, length=192 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x020e00061900 State = 0x0282fb8e008ce22c7ff0f6bedc08a825 Message-Authenticator = 0x4aa592830ab1a5ab74e9a9a007187cb3 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 194 to 172.17.6.205 port 32770 EAP-Message = 0x010f00b51900dbe740ea1ac0356d73325c3b4862b3d7de03f02a23dba6bca2f6f1b797a90fbf5218a80d927bb8db9704876c522721d2a501828d7bbe23987b3f9f1232f56c98240d6e7810db793c7dd5e34daf5cf4299daa19393ea7ca3fc824447b57a62db54a622b8245942bc900cb982216c393a912b5ec346076e6044863de5249f31e319e8a0e876937e0b3520514fc00e3072659bbb89957d1322ad32aa4cbcb9418749803eb4310ae16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e018de22c7ff0f6bedc08a825 Finished request 73. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=195, length=508 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x020f014019800000013616030101061000010201009b838b42c320d7d04e42a0b97c6f5480741eeb64be1f131e3dacb4c0394fb96bda91ccae4264e9a3264cc7e1bc621a8c9c0bf2be4de29042ee94469be9e3830f348df4009c679c00a1241df4b2b65fab811351cb1b97847eba5bfe321dc32739f93043103bd3a969513b10dbca3a2c9deb4a9a492603629e7e9ddaa362f0b148ad1842270a18321708ff0e314412079d458dd4b9fab38d9f1b86a65fa0fa8b0a2e06403c7a7a52d8c2a2e7ed5878c339d6905da1718c32b7f8ba07c8cedf866c980f690722e38fb421df3d67e55cc9b380bae38ef392c6234db71242b16f7ff56e352b7a3ca3837a EAP-Message = 0xcf4e92de1e4d6728808dbf8df54d4819c57dabf00e16984114030100010116030100205c95b90821f44df33871c079ce0448065b483c9ef6504c023bba98c997702759 State = 0x0282fb8e018de22c7ff0f6bedc08a825 Message-Authenticator = 0x441cfb0518eb1e533b6445ac9ce68d59 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 195 to 172.17.6.205 port 32770 EAP-Message = 0x0110003119001403010001011603010020094cda7a332cef09766a43e6416115d88a0b0c2b9538c106d7a79530914df85b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e0692e22c7ff0f6bedc08a825 Finished request 74. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=196, length=192 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x021000061900 State = 0x0282fb8e0692e22c7ff0f6bedc08a825 Message-Authenticator = 0xb2541fc85b1ccd57fc7147c181c1f8b1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 196 to 172.17.6.205 port 32770 EAP-Message = 0x011100201900170301001563bc74883cd5e22b287fdc9866b0cf7b7527605d97 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e0793e22c7ff0f6bedc08a825 Finished request 75. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=197, length=222 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x0211002419001703010019cf021abfc4a36083c60b53cf5f495fc64fef8cb5cb08107c9a State = 0x0282fb8e0793e22c7ff0f6bedc08a825 Message-Authenticator = 0x8249cfb08c9015d02c7dd9437b1ecd50 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 36 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - kledford [peap] Got tunnled request EAP-Message = 0x0211000d016b6c6564666f7264 server (null) { PEAP: Got tunneled identity of kledford PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to kledford Sending tunneled request EAP-Message = 0x0211000d016b6c6564666f7264 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kledford" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 17 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x577c69d6576e7321a99fdce2c06ba398 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x577c69d6576e7321a99fdce2c06ba398 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 197 to 172.17.6.205 port 32770 EAP-Message = 0x011200391900170301002e1f2e6251b0ee12c3a6be5147b62d32ff1e8f5b4d653c72d63b2f51095dd26c88d9e80b73c7c67e4d2642369bb7cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e0490e22c7ff0f6bedc08a825 Finished request 76. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=198, length=276 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x0212005a1900170301004fbe3681cc29c08c6a9cb7790dee6a2413b0ebc8473162dc85f362a9966ab531a0eb62ade6f69f550ca67d378fbff0e34767146eb3407c022ee9bd1e1939557fdd64cd99d5a77b130c13aeea3580be9f State = 0x0282fb8e0490e22c7ff0f6bedc08a825 Message-Authenticator = 0x1d0b5a02f83fd064643cf8b17b61649e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 90 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264 server (null) { PEAP: Setting User-Name to kledford Sending tunneled request EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kledford" State = 0x577c69d6576e7321a99fdce2c06ba398 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 18 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for kledford with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\022E=691 R=1" EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\022E=691 R=1" EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 198 to 172.17.6.205 port 32770 EAP-Message = 0x011300261900170301001b7d7ecb9363773c2925be6270b36c1cc64746512b567f6487e27a4e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0282fb8e0591e22c7ff0f6bedc08a825 Finished request 77. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=199, length=224 User-Name = "kledford" Calling-Station-Id = "00-11-95-D9-07-77" Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure" NAS-Port = 29 NAS-IP-Address = 172.17.6.205 NAS-Identifier = "South6" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1999" EAP-Message = 0x021300261900170301001b989cf4d191ed8635a159d484e8b3ddcea284fc0177b8ed705dd9d8 State = 0x0282fb8e0591e22c7ff0f6bedc08a825 Message-Authenticator = 0xf942e38c5ad48d5f0723d8062283dcb2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kledford", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 19 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kledford attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 78 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 78 Sending Access-Reject of id 199 to 172.17.6.205 port 32770 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 70 ID 191 with timestamp +511079 Cleaning up request 71 ID 192 with timestamp +511080 Waking up in 0.1 seconds. Cleaning up request 72 ID 193 with timestamp +511080 Cleaning up request 73 ID 194 with timestamp +511080 Cleaning up request 74 ID 195 with timestamp +511080 Waking up in 0.1 seconds. Cleaning up request 75 ID 196 with timestamp +511080 Cleaning up request 76 ID 197 with timestamp +511080 Cleaning up request 77 ID 198 with timestamp +511080 Waking up in 1.0 seconds. Cleaning up request 78 ID 199 with timestamp +511080 -- Keith Ledford <kledford AT uga DOT edu> Network Administrator EITS Network Engineering
I am having some issues with setting up 802.1x using freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is doing Mac Auth against a file. One is using ldap auth and the other is setup to use 802.1x. Mac auth and ldap auth works great so I know my ldap config in radius should be setup correctly. It looks like the authorize part of 802.1x works but it fails during the authenticate part. Does anyone see what I have messed up? I am sure it is something simple that I am overlooking. I am using windows xp sp3 to try to connect to this network. My wireless network is all Cisco LWAPP AP's connecting to Cisco WLAN controllers and we use Cisco WCS to manage all of these devices. I am trying to setup a secure network using wpa and wpa2 with 802.1x using eap-peap.
The message
'WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?'
shows up also on the non-802.1x ldap auth wlan that works. Let me know if more detail is needed.
Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). Ivan Kalik Kalik Informatika ISP
On Thursday, January 15, 2009 at 20:36:00, tnt@kalik.net wrote:
Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth).
The passwords are in the ldap server (Novell). I don't understand what you mean by "so you need to send the password to freeradius" Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford <kledford AT uga DOT edu> Network Administrator EITS Network Engineering 706.542.0723 phone
The passwords are in the ldap server (Novell). I don't understand what you mean by
"so you need to send the password to freeradius"
It should be made available in userPassword attribute. Or as NT hash in ntPassword or sambaNtPassword.
Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients?
Read comments above set_auth_type in ldap module configuration file (raddb/modules/ldap). People make the passwords available to radius. Your debug shows no attributes being passed from ldap to radius (check or reply). Ivan Kalik Kalik Informatika ISP
The passwords need to be extracted from eDirectory and passed to freeradius. This guide is old - I haven't seen what needs to be done with the freeradius config, but it will tell you what you need to do on the Novell end. http://freeradius.org/doc/radiusadmin.pdf Mearl -----Original Message----- From: freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.o rg] On Behalf Of Keith Ledford Sent: Thursday, January 15, 2009 2:41 PM To: FreeRadius users mailing list Subject: Re: 802.1x problems On Thursday, January 15, 2009 at 20:36:00, tnt@kalik.net wrote:
Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth).
The passwords are in the ldap server (Novell). I don't understand what you mean by "so you need to send the password to freeradius" Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford <kledford AT uga DOT edu> Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There are comments about eDirectory in ldap module configuration file. You might need to rebuild the server. Ivan Kalik Kalik Informatika ISP Dana 15/1/2009, "Danner, Mearl" <jmdanner@samford.edu> piše:
The passwords need to be extracted from eDirectory and passed to freeradius.
This guide is old - I haven't seen what needs to be done with the freeradius config, but it will tell you what you need to do on the Novell end.
http://freeradius.org/doc/radiusadmin.pdf
Mearl
-----Original Message----- From: freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.o rg] On Behalf Of Keith Ledford Sent: Thursday, January 15, 2009 2:41 PM To: FreeRadius users mailing list Subject: Re: 802.1x problems
On Thursday, January 15, 2009 at 20:36:00, tnt@kalik.net wrote:
Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth).
The passwords are in the ldap server (Novell). I don't understand what you mean by
"so you need to send the password to freeradius"
Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients?
I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks!
-- Keith Ledford <kledford AT uga DOT edu> Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Danner, Mearl -
Keith Ledford -
tnt@kalik.net