help with EAP MD5 wired authentication
Hi, I am struggling with EAP-MD5 wired authentication for last couple of days. I checked the web and archives but to no avail. I am using XP supplicant. Tried with Funk's supplicant also but same result. Any help will be highly appreciated. Thanks Anup My users file has following towards the end # On no match, the user is denied access. a User-Password == "a" "test" User-Password == "test" "Administrator" User-Password == "pnbidm123!" aparkhi Auth-Type := System, User-Password == "aparkhi" DEFAULT Auth-Type := Accept Reply-Message = "All users are allowed, Welcome %u." Radiusd.conf has 1. modules section ... pap { encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } ... $INCLUDE ${confdir}/eap.conf mschap { ... } files { ... } ... The console output of radiusd -X -s is Ready to process requests. rad_recv: Access-Request packet from host 10.11.12.107:1024, id=76, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" EAP-Message = 0x020200090174657374 Message-Authenticator = 0xb12214c2d6fb14f33c7cc758ccfb54b7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 76 to 10.11.12.107:1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x0103001604100118f4899111b27fc08900284095e5e2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33fe6026586af730cd367983bb9ea8b6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77, length=249 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" State = 0x33fe6026586af730cd367983bb9ea8b6 EAP-Message = 0x0203001a04101c913399463bebf9f6dc2d0af18f0c7974657374 Message-Authenticator = 0x2592cd875d1068f5b16fe7999f451769 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77, length=249 Sending Access-Reject of id 77 to 10.11.12.107:1024 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 76 with timestamp 43826690 Cleaning up request 1 ID 77 with timestamp 43826690 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi i have the same problem with peap/mschapv2 authentication... its missing the "User-Password" attribute... but i dont know why... look at your error rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication bye Konne
hi the following line seems to be principally correct (don't use explicit Auth-Type):
a User-Password == "a"
the eap module fails in authentication because it can't find the User- Password for the user. Make sure that the "files" module is used in authorize i.e. that the users file is actually used. the modules pap and mschap are of no interest whatsoever. also, i don't understand the DEFAULT accept policy - imho it's nonsense. hope this helps artur
1. modules section ... pap { encryption_scheme = crypt }
# CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } ... $INCLUDE ${confdir}/eap.conf
mschap { ... }
files { ... }
...
The console output of radiusd -X -s is
Ready to process requests. rad_recv: Access-Request packet from host 10.11.12.107:1024, id=76, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" EAP-Message = 0x020200090174657374 Message-Authenticator = 0xb12214c2d6fb14f33c7cc758ccfb54b7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 76 to 10.11.12.107:1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x0103001604100118f4899111b27fc08900284095e5e2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x33fe6026586af730cd367983bb9ea8b6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77, length=249 Framed-MTU = 1480 NAS-IP-Address = 10.11.12.107 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-0f-20-8d-04-c8" Calling-Station-Id = "00-c0-9f-0d-4a-1f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1010" State = 0x33fe6026586af730cd367983bb9ea8b6 EAP-Message = 0x0203001a04101c913399463bebf9f6dc2d0af18f0c7974657374 Message-Authenticator = 0x2592cd875d1068f5b16fe7999f451769 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.11.12.107:1024, id=77, length=249 Sending Access-Reject of id 77 to 10.11.12.107:1024 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 76 with timestamp 43826690 Cleaning up request 1 ID 77 with timestamp 43826690 Nothing to do. Sleeping until we see a request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html <2#Mime.822> <GWAVADAT.TXT> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
participants (3)
-
anup_parkhi@hotmail.com -
Artur Hecker -
Konne