I installed FreeRadius 1.1.2 on FreeBSD 6.0. I followed the HOWTO from http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html to configure the server. When I ran radtest, it show the message like this: Sending Access-Request of id 153 to 10.1.1.3 port 1645 User-Name = "user@sisni" User-Password = "sni" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 rad_recv: Access-Accept packet from host 10.1.1.3:1645, id=153, length=20 or Sending Access-Request of id 153 to 10.1.1.3 port 1645 User-Name = "user" User-Password = "sni" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 rad_recv: Access-Accept packet from host 10.1.1.3:1645, id=153, length=20 The user 'user' already registered inside /etc/password: user:*:1006:1006:user_radius_sisni:/home/user:/usr/sbin/nologin In radius.conf , proxy_request is set to No. And the $INCLUDE ${confdir}/proxy.conf is already commented. But I still got this message: rlm_realm: Proxy reply, or no User-Name. Ignoring. This is the content from huntgroup file: LNS-KPU-SM2 NAS-IP-Address == 10.1.1.0 This is the content from hints file DEFAULT Suffix == "@sisni", Strip-User-Name = Yes Hint = "sisni", If I tried to dial the Radius from Windows terminal, it always give me an error like this: *Error 691*: Access was denied because the user name and/or password was invalid on the domain Please help me to fix the error. Thank you. -Pungki Here is the last message in /var/log/radacct/10.1.1.0/detail-20071203 Acct-Status-Type = Accounting-On NAS-IP-Address = 10.1.1.0 NAS-Identifier = "LNS-KPU-SM2" Acct-Authentic = RADIUS Acct-Session-Id = "load:2147484043" Event-Timestamp = "Nov 22 2007 10:25:47 WIT" Acct-Delay-Time = 957324 Client-IP-Address = 10.1.1.0 Timestamp = 1196662186 Here is the message that show after radiusd -X command. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. rad_recv: Accounting-Request packet from host 10.1.1.0:50016, id=223, length=80 Acct-Status-Type = Accounting-On NAS-IP-Address = 10.1.1.0 NAS-Identifier = "LNS-KPU-SM2" Acct-Authentic = RADIUS Acct-Session-Id = "load:2147484043" Event-Timestamp = "Nov 22 2007 10:25:47 WIT" Acct-Delay-Time = 952314 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module "preprocess" returns noop for request 0 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[preacct]: module "suffix" returns noop for request 0 modcall: leaving group preacct (returns noop) for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radacct/10.1.1.0/detail-20071203' rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.1.1.0/detail-20071203 modcall[accounting]: module "detail" returns ok for request 0 modcall[accounting]: module "unix" returns noop for request 0 radius_xlat: '/var/log/radutmp' rlm_radutmp: NAS callback restarted (Accounting-On packet seen) modcall[accounting]: module "radutmp" returns ok for request 0 modcall: leaving group accounting (returns ok) for request 0 Sending Accounting-Response of id 223 to 10.1.1.0 port 50016 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 10.1.1.0:50016, id=224, length=80 Acct-Status-Type = Accounting-On NAS-IP-Address = 10.1.1.0 NAS-Identifier = "LNS-KPU-SM2" Acct-Authentic = RADIUS Acct-Session-Id = "load:2147484043" Event-Timestamp = "Nov 22 2007 10:25:47 WIT" Acct-Delay-Time = 952317 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 1 modcall[preacct]: module "preprocess" returns noop for request 1 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[preacct]: module "suffix" returns noop for request 1 modcall: leaving group preacct (returns noop) for request 1 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 1 radius_xlat: '/var/log/radacct/10.1.1.0/detail-20071203' rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.1.1.0/detail-20071203 modcall[accounting]: module "detail" returns ok for request 1 modcall[accounting]: module "unix" returns noop for request 1 radius_xlat: '/var/log/radutmp' rlm_radutmp: NAS callback restarted (Accounting-On packet seen) modcall[accounting]: module "radutmp" returns ok for request 1 modcall: leaving group accounting (returns ok) for request 1 Sending Accounting-Response of id 224 to 10.1.1.0 port 50016 Finished request 1 Going to the next request --- Walking the entire request list ---
pungki arianto wrote: ...
The user 'user' already registered inside /etc/password: user:*:1006:1006:user_radius_sisni:/home/user:/usr/sbin/nologin
Ok...
In radius.conf , proxy_request is set to No. And the $INCLUDE ${confdir}/proxy.conf is already commented. But I still got this message: rlm_realm: Proxy reply, or no User-Name. Ignoring.
The "realms" module is being used. See "suffix" and "prefix" in radiusd.conf.
If I tried to dial the Radius from Windows terminal, it always give me an error like this: *Error 691*: Access was denied because the user name and/or password was invalid on the domain
The Windows machine is using MS-CHAP. You cannot authenticate users who are in /etc/password using MS-CHAP. It's impossible. The server needs access to the clear-text, or NT hashed password. (debug log of accounting packets deleted. It has nothing to do with authentication requests.) Alan DeKok.
If I tried to dial the Radius from Windows terminal, it always give me an error like this: *Error 691*: Access was denied because the user name and/or password was invalid on the domain
The Windows machine is using MS-CHAP. You cannot authenticate users who are in /etc/password using MS-CHAP. It's impossible.
The server needs access to the clear-text, or NT hashed password.
How can I create clear text password for user? Is there any documentation that I have to read for setting that? -Pungki
On Dec 4, 2007 1:19 PM, Alan DeKok <aland@deployingradius.com> wrote:
pungki arianto wrote:
How can I create clear text password for user? Is there any documentation that I have to read for setting that?
Yes. Lots. The FAQ, config files, etc.
I read the FAQ from http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself but the Cleartext-Password attribute is only for freeradius 1.1.6 / 1.1.7 or 2.0.0pre2. I'm using freeRadius 1.1.2 and Cleartext-Password attribut is not known by the server. Does this version (1.1.2) support Cleartext-Password? -Pungki
On Dec 4, 2007 10:32 AM, pungki arianto <pungki.arianto@gmail.com> wrote:
I read the FAQ from http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself but the Cleartext-Password attribute is only for freeradius 1.1.6 / 1.1.7 or 2.0.0pre2. I'm using freeRadius 1.1.2 and Cleartext-Password attribut is not known by the server. Does this version (1.1.2) support Cleartext-Password?
Use User-Password instead. Regards, Liran Tal.
Is there any further HOWTO or somebody who can give me detailed instruction on how to get PEAP authentication done with a WinXP Client? I've installed the microsoft hotfix for SP2, but I don't see what to do with this xpextensions file. Thanks in advance - Bernd
Bernd wrote:
Is there any further HOWTO or somebody who can give me detailed instruction on how to get PEAP authentication done with a WinXP Client? I've installed the microsoft hotfix for SP2, but I don't see what to do with this xpextensions file.
See the Wiki and the comments in eap.conf in 1.1.7. The xpextensions issues are discussed there. Alan DeKok.
I think my problem is not with the XPextensions file. So it should be the hotfix. I get 2 files. If I extract/install them, I see that one is the hotfix and one is a directory called "symbols". I don't think that I can do anything wrong with the installation of the hotfix part (just agreeing to what it tells me shouldn't be so hard). So what does this "symbols" directory do? And where should it be copied to? I disabled "validate server certificate" on the client to test if it works this way. And I get an Access-Accept from the Server. But my connection is up for just a few seconds. What can I do to work around this? Regards Bernd -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org [mailto:freeradius-users-bounces+s4ndm4n=gmx.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Dienstag, 4. Dezember 2007 14:30 An: FreeRadius users mailing list Betreff: Re: xpextensions question Bernd wrote:
Is there any further HOWTO or somebody who can give me detailed instruction on how to get PEAP authentication done with a WinXP Client? I've installed the microsoft hotfix for SP2, but I don't see what to do with this xpextensions file.
See the Wiki and the comments in eap.conf in 1.1.7. The xpextensions issues are discussed there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And I get an Access-Accept from the Server.
So, radius works fine then.
But my connection is up for just a few seconds.
Why? What is missing or wrong and making the connection go down? Answer that and your troubles are over. Debug PPP or whatever connection you are making and see what's going on. Ivan Kalik Kalik Informatika ISP
Bernd wrote:
I think my problem is not with the XPextensions file. So it should be the hotfix. I get 2 files. If I extract/install them, I see that one is the hotfix and one is a directory called "symbols". I don't think that I can do anything wrong with the installation of the hotfix part (just agreeing to what it tells me shouldn't be so hard). So what does this "symbols" directory do? And where should it be copied to?
Ask Microsoft. I don't run Windows.
I disabled "validate server certificate" on the client to test if it works this way. And I get an Access-Accept from the Server. But my connection is up for just a few seconds. What can I do to work around this?
There's something else going wrong. i.e. lost signal, NAS is broken, etc. Alan DeKok.
Place it in the /certs directory. It will be used by CA.all script to generate certificates usable with XP supplicant. Ivan Kalik Kalik Informatika ISP Dana 4/12/2007, "Bernd" <s4ndm4n@gmx.de> piše:
Is there any further HOWTO or somebody who can give me detailed instruction on how to get PEAP authentication done with a WinXP Client? I've installed the microsoft hotfix for SP2, but I don't see what to do with this xpextensions file.
Thanks in advance - Bernd
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pungki arianto wrote:
but the Cleartext-Password attribute is only for freeradius 1.1.6 / 1.1.7 or 2.0.0pre2. I'm using freeRadius 1.1.2 and Cleartext-Password attribut is not known by the server. Does this version (1.1.2) support Cleartext-Password?
Upgrade. http://freeradius.org/security.html Alan DeKok.
participants (5)
-
Alan DeKok -
Bernd -
liran tal -
pungki arianto -
tnt@kalik.co.yu